PatchSiren cyber security CVE debrief
CVE-2026-58578 lobehub CVE debrief
CVE-2026-58578 is a regular expression denial of service (ReDoS) vulnerability in LobeChat before version 2.2.10-canary.15. The vulnerability allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. This can cause a denial of service to all concurrent users for tens of seconds per request. The vulnerability is caused by a dynamically constructed regular expression in the findSkillMd function that is executed synchronously against archive entries. Attackers can craft a malicious basePath value containing unescaped regex metacharacters, such as catastrophic-backtracking patterns.
- Vendor
- lobehub
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-02
- Advisory updated
- 2026-07-07
Who should care
Users of LobeChat before version 2.2.10-canary.15 should be aware of this vulnerability and take steps to mitigate it. This includes updating LobeChat to version 2.2.10-canary.15 or later, restricting access to the affected function, implementing input validation and sanitization, monitoring for suspicious activity, and considering implementing a web application firewall (WAF).
Technical summary
The vulnerability is caused by a dynamically constructed regular expression in the findSkillMd function that is executed synchronously against archive entries. Attackers can craft a malicious basePath value containing unescaped regex metacharacters, such as catastrophic-backtracking patterns, which can deny service to all concurrent users for tens of seconds per request. The findSkillMd function is used during skill import, and the vulnerability allows authenticated attackers to block the Node.js event loop.
Defensive priority
High
Recommended defensive actions
- Update LobeChat to version 2.2.10-canary.15 or later
- Restrict access to the affected function
- Implement input validation and sanitization
- Monitor for suspicious activity
- Consider implementing a web application firewall (WAF)
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-02T20:17:06.870Z and was last modified on 2026-07-07T18:16:39.903Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. The findSkillMd function constructs a regular expression dynamically and executes it synchronously against archive entries, which can cause a denial of service to all concurrent users for tens of seconds per request.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:06.870Z and has not been modified since then. The NVD entry is currently Deferred.