CVE-2025-59426: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59426 is a moderate severity vulnerability discovered in the lobe-chat project affecting versions prior to 1.130.1. The vulnerability was disclosed on September 24, 2025, and involves an Open Redirect issue in the project's OIDC (OpenID Connect) redirect handling logic. The vulnerability stems from the way the application constructs the host and protocol of the final redirect URL based on X-Forwarded-Host or Host headers and X-Forwarded-Proto values (GitHub Advisory).

The vulnerability exists in the OIDC redirect handling mechanism where the application fails to properly validate client-supplied X-Forwarded-* headers. In deployments where a reverse proxy forwards these headers to the origin as-is, or where the origin trusts them without validation, attackers can inject arbitrary hosts to trigger open redirects. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability can force users to redirect to untrusted external domains, potentially leading to phishing attacks, credential harvesting, and session fixation. While the vulnerable path doesn't directly expose tokens, it can be exploited for social engineering attacks through redirect chains. The impact can be amplified when combined with other vulnerabilities such as CSP bypass or cache poisoning (GitHub Advisory).

The vulnerability has been patched in version 1.130.1 of lobe-chat. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented through commit 70f52a3, which addresses the OIDC open redirect issue (GitHub Commit).