LobeChat Stored Cross-Site Scripting Vulnerability Escalating to Remote Code Execution

A stored Cross-Site Scripting (XSS) vulnerability has been identified in LobeChat versions prior to 2.0.0-next.180. This issue resides in the Mermaid artifact renderer, where user-generated content is rendered without proper sanitization. Attackers can inject malicious JavaScript that is executed within the application context. Furthermore, this XSS vulnerability can be escalated to Remote Code Execution (RCE) by exploiting the `electronAPI` IPC bridge, which allows the execution of arbitrary system commands on the victim's machine.

Impact

Exploitation of this vulnerability allows for Remote Code Execution on the affected user's machine.

Reproduction

To reproduce this vulnerability, create a Mermaid diagram that includes malicious JavaScript. The injected script can be crafted to use the `electronAPI` IPC bridge to execute system commands. Once the diagram is rendered in the application, the JavaScript will execute, calling the `runCommand` function with the specified command as an argument. This will trigger the execution of the command on the user's system, demonstrating the successful escalation from XSS to RCE.

Remediation

Users should update to LobeChat version 2.0.0-next.180 or later, where this vulnerability has been patched.