All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-58578
HIGHpublished 2026-07-02 20:17 UTC · 2 days ago
7.1
CVSS / 10
// description
LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.
// weaknesses (CWE)
- CWE-1333
// references (5)
- https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a
- https://github.com/lobehub/lobehub/issues/16494
- https://github.com/lobehub/lobehub/pull/16548
- https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15
- https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import