CVE-2023-26045 CRITICAL

CVE-2023-26045: NodeBB vulnerable to path traversal and code execution via prototype vulnerability

Vendor Nodebb
Product NodeBB
Weakness CWE-22 · Path traversal
Published July 24, 2023
Last update February 13, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.

Key dates

02Disclosure timeline

July 24, 2023 CVE published
February 13, 2025 Record updated