Lobe Chat Open Redirect Vulnerability in OIDC Redirect Handling

An open redirect vulnerability has been identified in Lobe Chat versions prior to 1.130.1. The issue arises in the application's OpenID Connect (OIDC) redirect handling, where the final redirect URL's host and protocol are constructed based on the X-Forwarded-Host, Host headers, and the X-Forwarded-Proto value. In environments where a reverse proxy forwards these headers to the origin without validation, an attacker can inject a malicious host, leading to an open redirect that could be exploited to direct users to a harmful domain.

Impact

Exploitation of this vulnerability allows for open redirection to untrusted external domains, which could be used for phishing attacks, credential harvesting, or session fixation. Additionally, it disrupts the OAuth/OIDC flow by redirecting users to malicious sites that appear legitimate, potentially leading to social engineering attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the '/oidc/consent' endpoint with the 'X-Forwarded-Host' header set to a malicious domain and the 'X-Forwarded-Proto' header set to 'https'. This can be done using a tool like curl.

Remediation

Users can update to Lobe Chat version 1.130.1 or later, where this vulnerability has been patched.