Platform
nodejs
Component
nodebb
Fixed in
12.2.3
CVE-2020-15149 is a critical privilege escalation vulnerability affecting NodeBB forum software. An attacker can exploit this flaw to change the password of any user on a running NodeBB instance by sending a specially crafted socket.io call. This vulnerability impacts versions 1.12.2–>=12.2.2, and less than 1.14.3. A fix is available in version 1.14.3, and a temporary workaround involves cherry-picking a specific commit.
The impact of CVE-2020-15149 is severe. Successful exploitation allows an attacker to take over any user account on the NodeBB forum. This can lead to unauthorized access to sensitive information, modification of forum content, and potentially compromise of the underlying server if the compromised account has administrative privileges. The vulnerability stems from insufficient validation of user input within the password change functionality, specifically within the socket.io communication channel. An attacker can craft a malicious socket.io message to bypass these checks and force a password reset for any user, effectively gaining complete control over their account.
CVE-2020-15149 was publicly disclosed on August 19, 2020. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and relatively straightforward exploitation path make it a potential target. No public proof-of-concept exploits were immediately available, but the vulnerability's nature suggests that such exploits could be developed and deployed. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.40% (61% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15149 is to upgrade NodeBB to version 1.14.3 or later. This version includes a fix for the underlying validation issue. If upgrading is not immediately feasible, a temporary workaround is available: cherry-picking the commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a from the NodeBB repository into your existing installation. This commit addresses the flawed validation logic. After applying the cherry-pick or upgrading, verify the fix by attempting to trigger the password change functionality with a crafted socket.io call – it should now be rejected.
Update NodeBB to version 1.14.3 or higher. As an alternative, apply the patch from commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a manually.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15149 is a critical vulnerability in NodeBB allowing attackers to change any user's password via crafted socket.io calls, leading to account takeover.
You are affected if you are running NodeBB versions 1.12.2–>=12.2.2, and less than 1.14.3. Check your version and upgrade immediately.
Upgrade NodeBB to version 1.14.3 or later. As a temporary workaround, cherry-pick commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the NodeBB security advisory for detailed information and updates: https://github.com/nodebb/nodebb/security/advisories/GHSA-5g8m-693c-4w6x
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.