LobeHub Unauthenticated Authentication Bypass Vulnerability in WebAPI

A vulnerability in LobeHub's WebAPI authentication layer allows for unauthenticated access to protected routes. This is achieved by forging authentication payloads using a client-controlled header, 'X-lobe-chat-auth', which is only XOR-obfuscated and not signed or authenticated. The XOR key is hardcoded in the repository, enabling attackers to bypass authentication on several WebAPI routes. This vulnerability affects LobeHub versions prior to 2.1.48.

Impact

Exploitation of this vulnerability allows attackers to bypass authentication and access protected WebAPI routes. This includes the ability to impersonate other users, access user-specific provider configurations, and invoke privileged backend model operations such as chat completions and image generation.

Reproduction

To reproduce this vulnerability, send a request to a protected WebAPI route, such as '/webapi/chat/[provider]', including a forged 'X-lobe-chat-auth' header. The header should be XOR-obfuscated using the hardcoded key 'LobeHub · LobeHub'. The payload can be crafted to include an 'apiKey' or 'userId' to access the route as an authenticated user.

Remediation

Users can update to LobeHub version 2.1.48 or later, where this vulnerability has been fixed.