Skip to content
May 20, 2025
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Primary Menu
  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Linux
  • Malware Attack
  • Open Source Tool
  • Technology
  • Vulnerability
  • Home
  • News
  • Vulnerability
  • PoC Code for NodeBB Account Takeover Flaw (CVE-2022-46164) Published
  • Vulnerability

PoC Code for NodeBB Account Takeover Flaw (CVE-2022-46164) Published

Ddos January 4, 2023 2 min read
CVE-2022-46164 PoC

A security researcher has published details and proof-of-concept (PoC) code for a vulnerability in NodeBB that could be exploited to take over accounts.

The PoC exploit targets CVE-2022-46164, a critical vulnerability that could allow a remote attacker to bypass security restrictions, caused by a plain object with a prototype being used in socket.io message. By sending a specially-crafted payload, an attacker could exploit this vulnerability to impersonate other users and take over accounts.

CVE-2022-46164 PoC

Tracked as CVE-2022-46164 (CVSS score of 9.4), the security defect was identified and reported by Stephen Bradshaw, with a patch available since the release of NodeBB version 2.6.1 in November 2022.

“Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts,” according to GitHub advisory.

Today, Stephen Bradshaw shared the PoC exploit code for CVE-2022-46164 on Github, and also published the write-up with details on the methods used by the exploit.

“CVE-2022-46164 resides within the Socket.IO implementation in NodeBB. This code enables socket based communication and handles a wide variety of forum functions,” the researcher explained.

“The null-prototype version of the Namespaces variable therefore fixes this vulnerability by removing access to properties we use for the exploit.”

Forum administrators running an affected installation of the aforementioned bugs are recommended to upgrade to the unaffected NodeBB version (v2.6.1 or newer) version as soon as possible. NodeBB has offered workarounds in its guidance to patch the exploitation of this flaw.

Rate this post

Found this helpful?

If this article helped you, please share it with others who might benefit.

Tags: CVE-2022-46164 CVE-2022-46164 PoC NodeBB

Continue Reading

Previous: CVE-2022-43931: Critical Vulnerability in Synology VPN Plus Server software
Next: CVE-2022-39947: Fortinet FortiADC command injection

Search

💙 Support Us!
We need 50 contributors this month to keep this site running.
14 of 50 supporters this month
☕ Buy Me a Coffee PayPalDonate
Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    Copyright © All rights reserved.
    x