CVE Catalog

CVE-2026-58578

MediumCVSS 6.5
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

LobeChat before version 2.2.10-canary.15 contains a ReDoS vulnerability allowing authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. The malicious basePath value is injected into a dynamically constructed regex in the findSkillMd function, causing service denial for tens of seconds per request.

Risk Assessment

The risk is a denial-of-service attack by an authenticated user, potentially making the application unavailable to all users. The attack only requires a valid account and can be repeated multiple times.

Recommendation

Immediately upgrade LobeChat to version 2.2.10-canary.15 or later. Additionally, consider restricting skill import functionality to trusted users and validating input for ReDoS patterns.

Original NVD description (English source)

LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS