PoC Code for NodeBB Account Takeover Flaw (CVE-2022-46164) Published

A security researcher has published details and proof-of-concept (PoC) code for a vulnerability in NodeBB that could be exploited to take over accounts.

The PoC exploit targets CVE-2022-46164, a critical vulnerability that could allow a remote attacker to bypass security restrictions, caused by a plain object with a prototype being used in socket.io message. By sending a specially-crafted payload, an attacker could exploit this vulnerability to impersonate other users and take over accounts.

Tracked as CVE-2022-46164 (CVSS score of 9.4), the security defect was identified and reported by Stephen Bradshaw, with a patch available since the release of NodeBB version 2.6.1 in November 2022.

“Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts,” according to GitHub advisory.

Today, Stephen Bradshaw shared the PoC exploit code for CVE-2022-46164 on Github, and also published the write-up with details on the methods used by the exploit.

“CVE-2022-46164 resides within the Socket.IO implementation in NodeBB. This code enables socket based communication and handles a wide variety of forum functions,” the researcher explained.

“The null-prototype version of the Namespaces variable therefore fixes this vulnerability by removing access to properties we use for the exploit.”

Forum administrators running an affected installation of the aforementioned bugs are recommended to upgrade to the unaffected NodeBB version (v2.6.1 or newer) version as soon as possible. NodeBB has offered workarounds in its guidance to patch the exploitation of this flaw.