EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@lobehub/chatnpmDescription
Description
Vulnerability Overview
The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain.
Vulnerable Code Analysis
const internalRedirectUrlString = await oidcService.getInteractionResult(uid, result);
log('OIDC Provider internal redirect URL string: %s', internalRedirectUrlString);
let finalRedirectUrl;
try {
finalRedirectUrl = correctOIDCUrl(request, new URL(internalRedirectUrlString));
} catch {
finalRedirectUrl = new URL(internalRedirectUrlString);
log('Warning: Could not parse redirect URL, using as-is: %s', internalRedirectUrlString);
}
return NextResponse.redirect(finalRedirectUrl, {
headers: request.headers,
status: 303,
});
PoC
curl Example
curl -i 'http://localhost:3210/oidc/callback/desktop?code=abc&state=test123' \
-H 'X-Forwarded-Host: google.com' \
-H 'X-Forwarded-Proto: https'
Impact
- It can force users to redirect to untrusted external domains, leading to subsequent attacks such as phishing, credential harvesting, and session fixation.
- It can disrupt the OAuth/OIDC flow user experience by redirecting users to malicious domains disguised as legitimate pages (even though this path doesn't directly include tokens, it can be exploited for social engineering attacks through redirect chains).
- The impact can be amplified when redirect chains are combined with other vulnerabilities such as CSP bypass or cache poisoning.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @lobehub/chat | all versions | 1.130.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @lobehub/chat. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @lobehub/chat to 1.130.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xph5-278p-26qx is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xph5-278p-26qx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xph5-278p-26qx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xph5-278p-26qx in your dependencies?
O3 detects GHSA-xph5-278p-26qx across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.