CVE-2022-46164

CRITICAL

NodeBB <2.6.1 - RCE

Title source: llm

Description

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

Exploits (1)

nomisec WORKING POC 12 stars

by stephenbradshaw · poc

https://github.com/stephenbradshaw/CVE-2022-46164-poc

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8

[Patch, Third Party Advisory] https://github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675

Scores

CVSS v3 9.4

EPSS 0.5684

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Details

CWE

CWE-665

Status published

Products (2)

nodebb/nodebb < 2.6.1

npm/nodebb 0 - 2.6.1npm

Published Dec 05, 2022

Tracked Since Feb 18, 2026