CVE-2026-54157: 
JavaScript 脆弱性の分析と軽減

CVE-2026-54157 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /webapi/proxy endpoint of LobeHub, an open-source AI chat framework. The flaw allows any unauthenticated attacker to make arbitrary outbound HTTP requests from LobeHub's server infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain via reflected Set-Cookie headers. It affects the npm package @lobehub/lobehub versions ≤ 2.1.56, with version 2.1.57 containing the fix. The vulnerability was published to the GitHub Advisory Database on June 16, 2026, and carries a CVSS v3.1 base score of 9.0 (Critical) (GitHub Advisory).

The root cause is a missing authentication check (CWE-918) on the POST /webapi/proxy route, implemented in src/app/(backend)/webapi/proxy/route.ts. The handler reads a URL from the POST request body and passes it directly to ssrfSafeFetch() without first invoking the checkAuth() middleware wrapper that every other /webapi/* route (e.g., /webapi/chat/*, /webapi/models/*, /webapi/create-image/*) uses. Compounding the issue, the Next.js middleware is configured to call NextResponse.next() for any path starting with /webapi/, meaning neither the route handler nor the middleware enforces authentication. This is a recurrence of CVE-2024-32964, where the older /api/proxy endpoint was fixed by adding auth middleware, but the /webapi/proxy route was overlooked. The proxy also passes upstream response headers (including Set-Cookie) directly to the client, stripping only Content-Encoding and Content-Length, enabling cookie injection attacks (GitHub Advisory, LobeHub Advisory).

An unauthenticated attacker can leverage LobeHub's server infrastructure as an anonymous proxy to reach internal services, cloud metadata endpoints (e.g., AWS IMDSv1), and Vercel's management plane APIs. By chaining the SSRF with CSRF, an attacker can inject Clerk authentication cookies (__session, __clerk_db_jwt, __client_uat) on the lobehub.com domain, enabling session fixation attacks where the attacker pre-sets a known session value and later hijacks the victim's authenticated session. Additionally, the endpoint leaks Vercel infrastructure details including egress IPs, Traceparent, and X-Vercel-Id headers, and has no rate limiting, allowing abuse of LobeHub's IP reputation for scanning, phishing, or bypassing IP-based trust controls (GitHub Advisory).

1. Reconnaissance: Identify LobeHub instances running @lobehub/lobehub ≤ 2.1.56, including the hosted instance at app.lobehub.com, using Shodan, Censys, or direct version enumeration.
2. Confirm SSRF: Send an unauthenticated POST request to /webapi/proxy with an external URL in the body to confirm the endpoint is reachable and unprotected:

curl -X POST -H "Content-Type: text/plain;charset=UTF-8" \
  -d "https://httpbin.org/ip" \
  "https://app.lobehub.com/webapi/proxy"

A successful response returns the server's egress IP, confirming the SSRF. 3. Probe internal/cloud resources: Target cloud metadata endpoints or internal services:

curl -X POST -H "Content-Type: text/plain;charset=UTF-8" \
  -d "http://169.254.169.254/latest/meta-data/" \
  "https://app.lobehub.com/webapi/proxy"

4. Cookie injection via CSRF: Host a malicious HTML page that auto-submits a form to /webapi/proxy, pointing to an attacker-controlled server that responds with a Set-Cookie header for lobehub.com. When a victim visits the page, the proxy reflects the cookie header and the victim's browser stores the attacker-controlled session cookie on lobehub.com.
5. Session fixation: After injecting a known __session cookie value, wait for the victim to log in. If Clerk reuses the pre-set session identifier, the attacker can authenticate using the same known value to access the victim's account (GitHub Advisory).

• Network: Unusual outbound HTTP requests from the LobeHub/Vercel serverless function egress IP to internal RFC-1918 addresses, cloud metadata endpoints (e.g., 169.254.169.254), or Vercel management APIs (api.vercel.com, edge-config.vercel.com).
• Network: High volume of unauthenticated POST requests to /webapi/proxy from diverse source IPs, potentially indicating abuse as an anonymous proxy.
• Logs: Server access logs showing POST requests to /webapi/proxy without authentication headers (no Authorization, no session cookies) from external IPs.
• Logs: Responses from /webapi/proxy containing Set-Cookie headers for lobehub.com domain cookies (__session, __clerk_db_jwt, __client_uat) in server-side request logs.
• Logs: Presence of Traceparent and X-Vercel-Id headers in proxied responses, indicating infrastructure detail leakage.
• Application: Unexpected or duplicate Clerk session tokens appearing in authentication logs, potentially indicating session fixation attempts (GitHub Advisory).

Upgrade the @lobehub/lobehub npm package to version 2.1.57 or later, which adds the checkAuth() wrapper to the /webapi/proxy route handler. As an interim workaround, implement network-level controls to restrict outbound connections from the LobeHub server to only necessary destinations, and deploy a Web Application Firewall (WAF) with SSRF detection rules targeting the /webapi/proxy endpoint. If the proxy endpoint is only used for client-side URL previews, consider removing it entirely and handling previews in the browser. Monitor for suspicious outbound connections and unauthenticated POST requests to /webapi/proxy (GitHub Advisory).

The vulnerability was reported by security researcher 0xj3st3r and published by LobeHub maintainer arvinxx on June 3, 2026, with the GitHub Advisory Database entry published on June 16, 2026. The CVE appeared in a Reddit CVEWatch post covering the top trending CVEs for June 16, 2026, indicating moderate community interest. No major vendor statements or notable analyst commentary beyond the advisory itself have been identified (GitHub Advisory).