CVE-2025-62505: 
JavaScript vulnerability analysis and mitigation

LobeChat, an open source chat application platform, was found to contain a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-62505) in version 1.136.1. The vulnerability exists in the web-crawler package's tools.search.crawlPages tRPC endpoint. The issue was discovered and disclosed on October 17, 2025, affecting the @lobehub/chat npm package (GitHub Advisory, NVD).

The vulnerability occurs when a client supplies an arbitrary URLs array together with impls containing the value "naive" to the tRPC endpoint. The service passes these URLs to Crawler.crawl, and the naive implementation performs server-side fetch requests without validating or restricting internal network addresses. The vulnerability has been assigned a CVSS v3.1 base score of 3.0 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery) (GitHub Advisory, Miggo).

The vulnerability allows an attacker with a valid user token (or using a bypass header in development mode) to make the server disclose responses from internal HTTP services. This can potentially expose internal API data, cloud metadata credentials, and provide access to internal resources such as management ports and cloud metadata endpoints. The impact is particularly concerning as it can lead to exposure of authentication tokens, secret keys, and provide opportunities for lateral movement (GitHub Advisory).

The vulnerability has been fixed in version 1.136.2 of the package. Users are advised to update to this version as no known workarounds exist. The fix involves replacing the native fetch call with ssrfSafeFetch inside the naive function in packages/web-crawler/src/crawImpl/naive.ts (GitHub Advisory).