LobeHub Electron Application Cross-Site Scripting Vulnerability Leading to Arbitrary Command Execution

A cross-site scripting (XSS) vulnerability has been identified in the LobeHub Electron application, specifically in the LobeChat feature, prior to version 2.1.48. The issue arises when custom tags are processed in the rendering component. If no type match is found, the default HTMLRenderer method is called. This behavior can be exploited by inducing the language model to output content with malicious tags, creating an XSS vulnerability on the client side. Furthermore, LobeChat's Electron main process exposes an insecure inter-process communication (IPC) interface called runCommand, which allows arbitrary command execution. The runCommand method does not filter command parameters, enabling execution of system commands with the current user's privileges if an attacker can access window.parent.electronAPI via XSS.

Impact

Exploitation of this vulnerability allows for cross-site scripting, which can be used to execute arbitrary commands on the victim's system through the Electron application's IPC interface.

Reproduction

To reproduce this vulnerability, configure an LLM provider in the LobeChat application with an endpoint that can send malicious payloads. Once the endpoint is set, normal conversation messages can be sent to trigger the XSS vulnerability, which in turn executes arbitrary commands on the user's system.

Remediation

Users should update to LobeHub version 2.1.48 or later, where this vulnerability has been fixed.