Fix React Server Components CVE vulnerabilities

.env.example

@@ -13,6 +13,17 @@
 # Default is '0' (enabled)
 # ENABLED_CSP=1
 
+# SSRF Protection Settings
+# Set to '1' to allow connections to private IP addresses (disable SSRF protection)
+# WARNING: Only enable this in trusted environments
+# Default is '0' (SSRF protection enabled)
+# SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
+
+# Whitelist of allowed private IP addresses (comma-separated)
+# Only takes effect when SSRF_ALLOW_PRIVATE_IP_ADDRESS is '0'
+# Example: Allow specific internal servers while keeping SSRF protection
+# SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
+
 ########################################
 ########## AI Provider Service #########
 ########################################

CHANGELOG.md

@@ -2,6 +2,106 @@
 
 # Changelog
 
+### [Version 1.143.2](https://github.com/lobehub/lobe-chat/compare/v1.143.1...v1.143.2)
+
+<sup>Released on **2025-12-04**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Fix React CVE.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Fix React CVE, closes [#10592](https://github.com/lobehub/lobe-chat/issues/10592) ([20809b5](https://github.com/lobehub/lobe-chat/commit/20809b5))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+### [Version 1.143.1](https://github.com/lobehub/lobe-chat/compare/v1.143.0...v1.143.1)
+
+<sup>Released on **2025-12-02**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Deepseek interleaved thinking.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Deepseek interleaved thinking, closes [#10550](https://github.com/lobehub/lobe-chat/issues/10550) ([73f3066](https://github.com/lobehub/lobe-chat/commit/73f3066))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+## [Version 1.143.0](https://github.com/lobehub/lobe-chat/compare/v1.142.9...v1.143.0)
+
+<sup>Released on **2025-12-01**</sup>
+
+#### ✨ Features
+
+- **misc**: Support DeepSeek Interleaved thinking.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's improved
+
+- **misc**: Support DeepSeek Interleaved thinking, closes [#10478](https://github.com/lobehub/lobe-chat/issues/10478) [#10219](https://github.com/lobehub/lobe-chat/issues/10219) [#10152](https://github.com/lobehub/lobe-chat/issues/10152) ([aee5d71](https://github.com/lobehub/lobe-chat/commit/aee5d71))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+### [Version 1.142.9](https://github.com/lobehub/lobe-chat/compare/v1.142.8...v1.142.9)
+
+<sup>Released on **2025-11-02**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: OIDC error when connecting to self-host instance.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: OIDC error when connecting to self-host instance, closes [#9916](https://github.com/lobehub/lobe-chat/issues/9916) ([2e2b9c4](https://github.com/lobehub/lobe-chat/commit/2e2b9c4))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ### [Version 1.142.8](https://github.com/lobehub/lobe-chat/compare/v1.142.7...v1.142.8)
 
 <sup>Released on **2025-10-30**</sup>

README.md

@@ -381,14 +381,14 @@ In addition, these plugins are not limited to news aggregation, but can also ext
 
 <!-- PLUGIN LIST -->
 
-| Recent Submits                                                                                                               | Description                                                                                                                               |
-| ---------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| [Shopping tools](https://lobechat.com/discover/plugin/ShoppingTools)<br/><sup>By **shoppingtools** on **2025-10-27**</sup>   | Search for products on eBay & AliExpress, find eBay events & coupons. Get prompt examples.<br/>`shopping` `e-bay` `ali-express` `coupons` |
-| [PortfolioMeta](https://lobechat.com/discover/plugin/StockData)<br/><sup>By **portfoliometa** on **2025-09-27**</sup>        | Analyze stocks and get comprehensive real-time investment data and analytics.<br/>`stock`                                                 |
-| [Web](https://lobechat.com/discover/plugin/web)<br/><sup>By **Proghit** on **2025-01-24**</sup>                              | Smart web search that reads and analyzes pages to deliver comprehensive answers from Google results.<br/>`web` `search`                   |
-| [Bing_websearch](https://lobechat.com/discover/plugin/Bingsearch-identifier)<br/><sup>By **FineHow** on **2024-12-22**</sup> | Search for information from the internet base BingApi<br/>`bingsearch`                                                                    |
-
-> 📊 Total plugins: [<kbd>**42**</kbd>](https://lobechat.com/discover/plugins)
+| Recent Submits                                                                                                             | Description                                                                                                                               |
+| -------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| [PortfolioMeta](https://lobechat.com/discover/plugin/StockData)<br/><sup>By **portfoliometa** on **2025-11-28**</sup>      | Analyze stocks and get comprehensive real-time investment data and analytics.<br/>`stock`                                                 |
+| [SEO](https://lobechat.com/discover/plugin/SEO)<br/><sup>By **orrenprunckun** on **2025-11-14**</sup>                      | Enter any URL and keyword and get an On-Page SEO analysis & insights!<br/>`seo`                                                           |
+| [Shopping tools](https://lobechat.com/discover/plugin/ShoppingTools)<br/><sup>By **shoppingtools** on **2025-10-27**</sup> | Search for products on eBay & AliExpress, find eBay events & coupons. Get prompt examples.<br/>`shopping` `e-bay` `ali-express` `coupons` |
+| [Web](https://lobechat.com/discover/plugin/web)<br/><sup>By **Proghit** on **2025-01-24**</sup>                            | Smart web search that reads and analyzes pages to deliver comprehensive answers from Google results.<br/>`web` `search`                   |
+
+> 📊 Total plugins: [<kbd>**41**</kbd>](https://lobechat.com/discover/plugins)
 
  <!-- PLUGIN LIST -->
 

README.zh-CN.md

@@ -374,14 +374,14 @@ LobeChat 的插件生态系统是其核心功能的重要扩展，它极大地
 
 <!-- PLUGIN LIST -->
 
-| 最近新增                                                                                                                   | 描述                                                                                                               |
-| -------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
-| [购物工具](https://lobechat.com/discover/plugin/ShoppingTools)<br/><sup>By **shoppingtools** on **2025-10-27**</sup>       | 在 eBay 和 AliExpress 上搜索产品，查找 eBay 活动和优惠券。获取快速示例。<br/>`购物` `e-bay` `ali-express` `优惠券` |
-| [PortfolioMeta](https://lobechat.com/discover/plugin/StockData)<br/><sup>By **portfoliometa** on **2025-09-27**</sup>      | 分析股票并获取全面的实时投资数据和分析。<br/>`股票`                                                                |
-| [网页](https://lobechat.com/discover/plugin/web)<br/><sup>By **Proghit** on **2025-01-24**</sup>                           | 智能网页搜索，读取和分析页面，以提供来自 Google 结果的全面答案。<br/>`网页` `搜索`                                 |
-| [必应网页搜索](https://lobechat.com/discover/plugin/Bingsearch-identifier)<br/><sup>By **FineHow** on **2024-12-22**</sup> | 通过 BingApi 搜索互联网上的信息<br/>`bingsearch`                                                                   |
-
-> 📊 Total plugins: [<kbd>**42**</kbd>](https://lobechat.com/discover/plugins)
+| 最近新增                                                                                                              | 描述                                                                                                               |
+| --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| [PortfolioMeta](https://lobechat.com/discover/plugin/StockData)<br/><sup>By **portfoliometa** on **2025-11-28**</sup> | 分析股票并获取全面的实时投资数据和分析。<br/>`股票`                                                                |
+| [SEO](https://lobechat.com/discover/plugin/SEO)<br/><sup>By **orrenprunckun** on **2025-11-14**</sup>                 | 输入任何 URL 和关键词，获取页面 SEO 分析和见解！<br/>`seo`                                                         |
+| [购物工具](https://lobechat.com/discover/plugin/ShoppingTools)<br/><sup>By **shoppingtools** on **2025-10-27**</sup>  | 在 eBay 和 AliExpress 上搜索产品，查找 eBay 活动和优惠券。获取快速示例。<br/>`购物` `e-bay` `ali-express` `优惠券` |
+| [网页](https://lobechat.com/discover/plugin/web)<br/><sup>By **Proghit** on **2025-01-24**</sup>                      | 智能网页搜索，读取和分析页面，以提供来自 Google 结果的全面答案。<br/>`网页` `搜索`                                 |
+
+> 📊 Total plugins: [<kbd>**41**</kbd>](https://lobechat.com/discover/plugins)
 
  <!-- PLUGIN LIST -->
 

changelog/v1.json

@@ -1,4 +1,32 @@
 [
+  {
+    "children": {
+      "fixes": ["Fix React CVE."]
+    },
+    "date": "2025-12-04",
+    "version": "1.143.2"
+  },
+  {
+    "children": {
+      "fixes": ["Deepseek interleaved thinking."]
+    },
+    "date": "2025-12-02",
+    "version": "1.143.1"
+  },
+  {
+    "children": {
+      "features": ["Support DeepSeek Interleaved thinking."]
+    },
+    "date": "2025-12-01",
+    "version": "1.143.0"
+  },
+  {
+    "children": {
+      "fixes": ["OIDC error when connecting to self-host instance."]
+    },
+    "date": "2025-11-02",
+    "version": "1.142.9"
+  },
   {
     "children": {},
     "date": "2025-10-30",

docs/self-hosting/environment-variables/basic.mdx

@@ -127,16 +127,62 @@ For specific content, please refer to the [Feature Flags](/docs/self-hosting/adv
 ### `SSRF_ALLOW_PRIVATE_IP_ADDRESS`
 
 - Type: Optional
-- Description: Allow to connect private IP address. In a trusted environment, it can be set to true to turn off SSRF protection.
+- Description: Controls whether to allow connections to private IP addresses. Set to `1` to disable SSRF protection and allow all private IP addresses. In a trusted environment (e.g., internal network), this can be enabled to allow access to internal resources.
 - Default: `0`
 - Example: `1` or `0`
 
+<Callout type="warning">
+  **Security Notice**: Enabling this option will disable SSRF protection and allow connections to private
+  IP addresses (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, etc.). Only enable this in
+  trusted environments where you need to access internal network resources.
+</Callout>
+
+**Use Cases**:
+
+LobeChat performs SSRF security checks in the following scenarios:
+
+1. **Image/Video URL to Base64 Conversion**: When processing media messages (e.g., vision models, multimodal models), LobeChat converts image and video URLs to base64 format. This check prevents malicious users from accessing internal network resources.
+
+   Examples:
+
+   - Image: A user sends an image message with URL `http://192.168.1.100/admin/secrets.png`
+   - Video: A user sends a video message with URL `http://10.0.0.50/internal/meeting.mp4`
+
+   Without SSRF protection, these requests could expose internal network resources.
+
+2. **Web Crawler**: When using web crawling features to fetch external content.
+
+3. **Proxy Requests**: When proxying external API requests.
+
+**Configuration Examples**:
+
+```bash
+# Scenario 1: Public deployment (recommended)
+# Block all private IP addresses for security
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
+
+# Scenario 2: Internal deployment
+# Allow all private IP addresses to access internal image servers
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=1
+
+# Scenario 3: Hybrid deployment (most common)
+# Block private IPs by default, but allow specific trusted internal servers
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
+SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
+```
+
 ### `SSRF_ALLOW_IP_ADDRESS_LIST`
 
 - Type: Optional
-- Description: Allow private IP address list, multiple IP addresses are separated by commas. Only when `SSRF_ALLOW_PRIVATE_IP_ADDRESS` is `0`, it takes effect.
+- Description: Whitelist of allowed IP addresses, separated by commas. Only takes effect when `SSRF_ALLOW_PRIVATE_IP_ADDRESS` is `0`. Use this to allow specific internal IP addresses while keeping SSRF protection enabled for other private IPs.
 - Default: -
-- Example: `198.18.1.62,224.0.0.3`
+- Example: `192.168.1.100,10.0.0.50,172.16.0.10`
+
+**Common Use Cases**:
+
+- Allow access to internal image storage server: `192.168.1.100`
+- Allow access to internal API gateway: `10.0.0.50`
+- Allow access to internal documentation server: `172.16.0.10`
 
 ### `ENABLE_AUTH_PROTECTION`
 

docs/self-hosting/environment-variables/basic.zh-CN.mdx

@@ -123,16 +123,61 @@ LobeChat 在部署时提供了一些额外的配置项，你可以使用环境
 ### `SSRF_ALLOW_PRIVATE_IP_ADDRESS`
 
 - 类型：可选
-- 描述：是否允许连接私有 IP 地址。在可信环境中可以设置为 true 来关闭 SSRF 防护。
+- 描述：控制是否允许连接私有 IP 地址。设置为 `1` 时将关闭 SSRF 防护并允许所有私有 IP 地址。在可信环境（如内网部署）中，可以启用此选项以访问内部资源。
 - 默认值：`0`
-- 示例：`1` or `0`
+- 示例：`1` 或 `0`
+
+<Callout type="warning">
+  **安全提示**：启用此选项将关闭 SSRF 防护，允许连接私有 IP 地址段（127.0.0.0/8、10.0.0.0/8、172.16.0.0/12、192.168.0.0/16
+  等）。仅在需要访问内网资源的可信环境中启用。
+</Callout>
+
+**应用场景**：
+
+LobeChat 会在以下场景执行 SSRF 安全检查：
+
+1. **图片 / 视频 URL 转 Base64**：在处理媒体消息时（例如视觉模型、多模态模型），LobeChat 会将图片和视频 URL 转换为 base64 格式。此检查可防止恶意用户通过媒体 URL 访问内网资源。
+
+   举例：
+
+   - 图片：用户发送图片消息，URL 为 `http://192.168.1.100/admin/secrets.png`
+   - 视频：用户发送视频消息，URL 为 `http://10.0.0.50/internal/meeting.mp4`
+
+   若无 SSRF 防护，这些请求可能导致内网资源泄露。
+
+2. **网页爬取**：使用网页爬取功能获取外部内容时。
+
+3. **代理请求**：代理外部 API 请求时。
+
+**配置示例**：
+
+```bash
+# 场景 1：公网部署（推荐）
+# 阻止所有私有 IP 访问，保证安全
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
+
+# 场景 2：内网部署
+# 允许所有私有 IP，可访问内网图片服务器等资源
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=1
+
+# 场景 3：混合部署（最常见）
+# 默认阻止私有 IP，但允许特定可信的内网服务器
+SSRF_ALLOW_PRIVATE_IP_ADDRESS=0
+SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50
+```
 
 ### `SSRF_ALLOW_IP_ADDRESS_LIST`
 
 - 类型：可选
-- 说明：允许的私有 IP 地址列表，多个 IP 地址用逗号分隔。仅在 `SSRF_ALLOW_PRIVATE_IP_ADDRESS` 为 `0` 时生效。
+- 描述：允许访问的 IP 地址白名单，多个 IP 地址用逗号分隔。仅在 `SSRF_ALLOW_PRIVATE_IP_ADDRESS` 为 `0` 时生效。使用此选项可以在保持 SSRF 防护的同时，允许访问特定的内网 IP 地址。
 - 默认值：-
-- 示例：`198.18.1.62,224.0.0.3`
+- 示例：`192.168.1.100,10.0.0.50,172.16.0.10`
+
+**常见使用场景**：
+
+- 允许访问内网图片存储服务器：`192.168.1.100`
+- 允许访问内网 API 网关：`10.0.0.50`
+- 允许访问内网文档服务器：`172.16.0.10`
 
 ### `ENABLE_AUTH_PROTECTION`
 

docs/usage/providers/comfyui.mdx

@@ -11,7 +11,7 @@ tags:
 
 # Using ComfyUI in LobeChat
 
-<Image alt={'Using ComfyUI in LobeChat'} cover src={'https://github.com/lobehub/lobe-chat/assets/17870709/c9e5eafc-ca22-496b-a88d-cc0ae53bf720'} />
+<Image alt={'Using ComfyUI in LobeChat'} cover src={'https://hub-apac-1.lobeobjects.space/docs/e9b811f248a1db2bd1be1af888cf9b9d.png'} />
 
 This documentation will guide you on how to use [ComfyUI](https://github.com/comfyanonymous/ComfyUI) in LobeChat for high-quality AI image generation and editing.
 

docs/usage/providers/comfyui.zh-CN.mdx

@@ -11,7 +11,7 @@ tags:
 
 # 在 LobeChat 中使用 ComfyUI
 
-<Image alt={'在 LobeChat 中使用 ComfyUI'} cover src={'https://github.com/lobehub/lobe-chat/assets/17870709/c9e5eafc-ca22-496b-a88d-cc0ae53bf720'} />
+<Image alt={'在 LobeChat 中使用 ComfyUI'} cover src={'https://hub-apac-1.lobeobjects.space/docs/e9b811f248a1db2bd1be1af888cf9b9d.png'} />
 
 本文档将指导你如何在 LobeChat 中使用 [ComfyUI](https://github.com/comfyanonymous/ComfyUI) 进行高质量的 AI 图像生成和编辑。
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/chat",
-  "version": "1.142.8",
+  "version": "1.143.2",
   "description": "Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -156,6 +156,7 @@
     "@lobechat/database": "workspace:*",
     "@lobechat/electron-client-ipc": "workspace:*",
     "@lobechat/electron-server-ipc": "workspace:*",
+    "@lobechat/fetch-sse": "workspace:*",
     "@lobechat/file-loaders": "workspace:*",
     "@lobechat/model-runtime": "workspace:*",
     "@lobechat/observability-otel": "workspace:*",
@@ -172,7 +173,7 @@
     "@lobehub/market-sdk": "^0.22.7",
     "@lobehub/tts": "^2.0.1",
     "@lobehub/ui": "^2.13.2",
-    "@modelcontextprotocol/sdk": "^1.20.0",
+    "@modelcontextprotocol/sdk": "1.23.0",
     "@neondatabase/serverless": "^1.0.2",
     "@next/third-parties": "^15.5.4",
     "@opentelemetry/exporter-jaeger": "^2.1.0",
@@ -235,7 +236,7 @@
     "model-bank": "workspace:*",
     "modern-screenshot": "^4.6.6",
     "nanoid": "^5.1.6",
-    "next": "~15.3.5",
+    "next": "15.3.7",
     "next-auth": "5.0.0-beta.30",
     "next-mdx-remote": "^5.0.0",
     "nextjs-toploader": "^3.9.17",
@@ -261,9 +262,9 @@
     "pwa-install-handler": "^2.6.3",
     "query-string": "^9.3.1",
     "random-words": "^2.0.1",
-    "react": "^19.2.0",
+    "react": "^19.2.1",
     "react-confetti": "^6.4.0",
-    "react-dom": "^19.2.0",
+    "react-dom": "^19.2.1",
     "react-fast-marquee": "^1.6.5",
     "react-hotkeys-hook": "^5.1.0",
     "react-i18next": "^15.7.4",