CVE-2024-24566: 
JavaScript vulnerability analysis and mitigation

Lobe Chat, a chatbot framework supporting speech synthesis and multimodal functionality, was found to contain an authentication bypass vulnerability (CVE-2024-24566). When the application is deployed with password protection using the ACCESS_CODE option, it was possible to access plugins without proper authorization. This vulnerability affected versions 0.122.3 and earlier, and was patched in version 0.122.4 (GitHub Advisory).

The vulnerability allowed unauthorized access to chat plugins through the /api/plugin/gateway endpoint without requiring the proper ACCESS_CODE authentication. The issue stemmed from a lack of access code verification for plugin-related HTTP requests. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The vulnerability allows unauthorized users to interact with chat plugins and access plugin functionality even when the application is configured with password protection. This could lead to unauthorized access to plugin features and potential manipulation of plugin-related data (GitHub Advisory).

Users should upgrade to Lobe Chat version 0.122.4 or later, which includes a patch that implements proper ACCESS_CODE verification for plugin-related HTTP requests. The fix involves verifying the ACCESS_CODE for all HTTP requests to the /api/plugin/ route (GitHub Advisory).