CVE-2026-58578
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
LobeChat before version 2.2.10-canary.15 contains a ReDoS vulnerability allowing authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. The malicious basePath value is injected into a dynamically constructed regex in the findSkillMd function, causing service denial for tens of seconds per request.
Risk Assessment
The risk is a denial-of-service attack by an authenticated user, potentially making the application unavailable to all users. The attack only requires a valid account and can be repeated multiple times.
Recommendation
Immediately upgrade LobeChat to version 2.2.10-canary.15 or later. Additionally, consider restricting skill import functionality to trusted users and validating input for ReDoS patterns.
Original NVD description (English source)
LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.

