CVE-2025-50979: SQL Injection Flaw in NodeBB Forum Software, PoC Available

The developers of NodeBB, a popular open-source forum platform, have disclosed a critical vulnerability affecting version v4.3.0. Tracked as CVE-2025-50979 with a CVSS score of 8.6, the flaw could allow remote attackers to perform SQL injection against the application’s search API.

NodeBB is widely deployed across online communities due to its real-time web sockets, mobile responsiveness, and RESTful APIs. It supports Redis, MongoDB, or PostgreSQL backends, offering flexibility for different deployment scenarios.

According to the CVE description, “NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.”

This means attackers can exploit the vulnerability without authentication, potentially retrieving sensitive data from the backend database, manipulating queries, or disrupting service availability.

Security researchers demonstrated the flaw using the penetration testing tool sqlmap, confirming the potential for automated exploitation. The command used for proof-of-concept testing included tamper scripts such as least, charencode, and escapequotes to bypass input sanitization.

In practice, exploitation could allow adversaries to:

• Enumerate databases and extract sensitive forum data.
• Access user credentials or private messages stored in SQL databases.
• Cause denial of service by injecting malicious queries.

Given NodeBB’s popularity as a forum software powering both small communities and enterprise platforms, the impact of a successful exploit could be widespread. Attackers could harvest personal information, hijack forum accounts, or pivot into backend systems where PostgreSQL is in use.

At the time of disclosure, official patch has been released. System administrators are advised to upgrade to the latest version as soon as possible.

Related Posts:

• CVE-2022-46164: Account Takeover Vulnerability Found in NodeBB
• CVE-2022-36076: 0-day NodeBB Account Takeover Vulnerability
• PoC Code for NodeBB Account Takeover Flaw (CVE-2022-46164) Published
• CVE-2023-26045: NodeBB Forum Software Remote Code Execution Flaw