CVE-2026-58578
MEDIUMLobeChat < 2.2.10-canary.15 - Regular Expression Denial of Service in GitHub Skill Import
Title source: cnaDescription
LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.
References (5)
Core 5
Core References
Release Notes release-notes
Release Notes
https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15
Exploit exploit
technical-description
Researcher Disclosure
https://github.com/lobehub/lobehub/issues/16494
Patch patch
Fix Commit
https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import
Scores
CVSS v3
6.5
EPSS
0.0031
EPSS Percentile
22.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-1333
Status
published
Products (1)
lobehub/lobehub
< 2.2.10-canary.15
Published
Jul 02, 2026
Tracked Since
Jul 03, 2026