Описание
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)
Summary
A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).
Details
The vulnerability exists in the Renderer component responsible for rendering Mermaid diagrams within chat artifacts.
The content variable, which is derived from user or AI-generated messages, is passed directly to the <Mermaid> component without any sanitization. The Mermaid library renders HTML labels (e.g., nodes defined with ["..."]) directly into the DOM. If the content contains malicious HTML tags (like <img onerror=...>), they are executed.
PoC
Impact
Remote Code Execution (RCE)
Пакеты
@lobehub/chat
<= 1.143.2
Отсутствует
Связанные уязвимости
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.