CVE-2025-59417 in lobe-chat
Summary
by MITRE • 09/18/2025
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the server is like , it will be rendered with the lobeArtifact node, instead of the plain text. However, when the type of the lobeArtifact is image/svg+xml , it will be rendered as the SVGRender component, which internally uses dangerouslySetInnerHTML to set the content of the svg, resulting in XSS attack. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability. This vulnerability is fixed in 1.129.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability identified as CVE-2025-59417 affects Lobe Chat, an open-source artificial intelligence chat framework that provides a platform for interacting with large language models through a web-based interface. This security flaw represents a critical cross-site scripting vulnerability that exists in versions prior to 1.129.4, creating a potential pathway for attackers to execute arbitrary code on users' machines. The vulnerability stems from how the application processes and renders different types of content within chat messages, specifically when handling artifacts that are rendered as SVG elements. The flaw demonstrates a dangerous improper input validation and output encoding issue that directly violates security principles for web application development.
The technical implementation of this vulnerability occurs through a specific rendering pathway within the Lobe Chat framework. When server responses contain content that matches certain patterns, the application processes these responses through the lobeArtifact node system rather than treating them as plain text. The vulnerability becomes apparent when the lobeArtifact type is set to image/svg+xml, which triggers the SVGRender component to handle the content. This component utilizes dangerouslySetInnerHTML, a React method that bypasses normal HTML escaping mechanisms and directly injects HTML content into the DOM. This approach creates a direct vector for XSS attacks because the content is rendered without proper sanitization, allowing attackers to inject malicious script code that executes in the context of the user's browser session.
The operational impact of this vulnerability extends far beyond typical XSS scenarios, as it can be escalated to achieve remote code execution on users' machines. Attackers capable of injecting content into chat messages can exploit this vulnerability through various means including hosting malicious web pages designed for prompt injection, compromising MCP servers that the application communicates with, or leveraging compromised tool integrations. The attack surface is particularly concerning because it allows adversaries to manipulate the application's rendering behavior to execute malicious code in the user's browser context, potentially leading to complete system compromise. This vulnerability represents a significant risk to users who interact with untrusted content through the chat interface, as it transforms a simple web application into a potential attack vector for more sophisticated exploitation techniques.
Security practitioners should recognize this vulnerability as a clear example of CWE-79 (Cross-site Scripting) and potentially CWE-94 (Improper Control of Generation of Code) when the XSS is escalated to code execution. The ATT&CK framework categorizes this under T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as attackers would need to establish initial access through content injection and then execute malicious code on the target system. Organizations using Lobe Chat should immediately update to version 1.129.4 or later to remediate this vulnerability. Additionally, administrators should implement network-level monitoring to detect potential exploitation attempts and establish content filtering mechanisms to prevent injection of malicious artifacts into chat sessions. The vulnerability highlights the importance of proper input validation and output encoding in web applications, particularly when dealing with dynamic content rendering that involves potentially untrusted data sources.