CVE-2022-46164: Account Takeover Vulnerability Found in NodeBB

Maintainers of the NodeBB project have moved to address a critical security vulnerability in its service that, if successfully exploited, could result in an account takeover.

Tracked as CVE-2022-46164, the issue has a CVSS severity score of 9.4. The security flaw affects all versions of NodeBB Forum Software prior < 2.6.1.

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. NodeBB takes the best of the modern web: real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs while staying true to the original bulletin board/forum format → categorical hierarchies, local user accounts, and asynchronous messaging.

“Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts,” according to GitHub advisory.

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects[1]. Prototype pollution vulnerabilities typically arise when a JavaScript function recursively merges an object containing user-controllable properties into an existing object, without first sanitizing the keys.

Forum administrators running an affected installation of the aforementioned bugs are recommended to upgrade to the latest NodeBB version (v2.6.1) version as soon as possible. NodeBB has offered workarounds in its guidance to patch the exploiting CVE-2022-46164.