XSS via prototype pollution
Description
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NodeBB v1.18.4 and earlier have a prototype pollution vulnerability in the uploader module that allows DOM injection and account takeover when chained with a path traversal.
Vulnerability
In NodeBB versions before 1.18.5, a prototype pollution vulnerability exists in the uploader module [1][2]. This bug allows a malicious user to inject arbitrary data (i.e., JavaScript) into the Document Object Model (DOM) of the forum application. The vulnerability is present in the upload functionality and requires no special privileges beyond being able to upload content. The attack surface is exposed to any authenticated forum user who can submit uploads.
Exploitation
An attacker must be an authenticated user of the NodeBB forum to exploit this vulnerability [1]. By crafting a malicious upload payload that pollutes the JavaScript prototype chain, the attacker can inject arbitrary JavaScript into the DOM. The injection occurs when the server processes the uploaded file and renders it in a way that interprets the polluted prototype. As the researcher notes, this can be combined with a path traversal vulnerability (CVE-2021-43788) to read arbitrary JSON files, potentially escalating to a full account takeover [1].
Impact
Successful exploitation allows the attacker to inject arbitrary JavaScript into the DOM, which can lead to Cross-Site Scripting (XSS) and, in conjunction with other vulnerabilities, account takeover [1]. The attacker could potentially steal session tokens, perform actions on behalf of the victim user, or read sensitive information from the page. The final impact described in the research is Remote Code Execution (RCE) on the NodeBB server, regardless of its configuration [1].
Mitigation
The vulnerability has been patched in NodeBB version 1.18.5, released on 2021-10-27 [2][3]. Users are strongly advised to upgrade to v1.18.5 or later as soon as possible. The fix includes disabling JavaScript in custom LESS tabs, which prevents the prototype pollution vector [3]. No workarounds are known for unpatched versions. If upgrading is not immediately possible, administrators should restrict upload permissions to trusted users only.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | >= 1.15.0, < 1.18.5 | 1.18.5 |
Affected products
2- NodeBB/NodeBBv5Range: >= 1.15.5, < 1.18.5
Patches
11783f918bc19fix: guard against prototype pollution
1 file changed · +3 −2
src/socket.io/uploads.js+3 −2 modified@@ -15,11 +15,12 @@ uploads.upload = async function (socket, data) { 'user.updateCover': socketUser.updateCover, 'groups.cover.update': socketGroup.cover.update, }; - if (!socket.uid || !data || !data.chunk || !data.params || !data.params.method || !methodToFunc[data.params.method]) { + if (!socket.uid || !data || !data.chunk || + !data.params || !data.params.method || !methodToFunc.hasOwnProperty(data.params.method)) { throw new Error('[[error:invalid-data]]'); } - inProgress[socket.id] = inProgress[socket.id] || {}; + inProgress[socket.id] = inProgress[socket.id] || Object.create(null); const socketUploads = inProgress[socket.id]; const { method } = data.params;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-wx69-rvg3-x7fcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43787ghsaADVISORY
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shotghsaWEB
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/mitrex_refsource_MISC
- github.com/NodeBB/NodeBB/commit/1783f918bc19568f421473824461ff2ed7755e4cghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/releases/tag/v1.18.5ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-wx69-rvg3-x7fcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.