EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the lobehub package, affecting versions <= 2.1.56, specifically a Server-Side Request Forgery (SSRF) vulnerability in the `/webapi /proxy` endpoint. This vulnerability allows attackers to make arbitrary outbound requests and inject cookies on the `lobehub .com` domain, posing a significant business risk and potential impact on the organization's security posture.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the lobehub package, affecting versions <= 2.1.56, specifically a Server-Side Request Forgery (SSRF) vulnerability in the `/webapi /proxy` endpoint. This vulnerability allows attackers to make arbitrary outbound requests and inject cookies on the `lobehub .com` domain, posing a significant business risk and potential impact on the organization's security posture.[emaillocker id="1283"]
CVE-2026-54157 with a CVSS score of 9.0 – This vulnerability is a Server-Side Request Forgery (SSRF) in the `/webapi /proxy` endpoint, allowing attackers to make arbitrary outbound requests from LobeHub's infrastructure and inject cookies on the `lobehub .com` domain through reflected `Set-Cookie` headers.
The overall risk and urgency of this vulnerability are high, as it can be exploited to gain unauthorized access to sensitive information and disrupt business operations. If exploited, this vulnerability could result in significant business consequences, including data breaches, financial losses, and reputational damage, highlighting the need for immediate attention and action to mitigate potential threats.
RECOMMENDATION:
We recommend you to update lobehub to version 2.1.57.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xmwj-c75x-6346