Path traversal in translator module of NobeBB
Description
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NodeBB v1.18.5 fixes a path traversal vulnerability (CVE-2021-43788) allowing authenticated users to read arbitrary JSON files outside the languages/ directory.
Vulnerability
In NodeBB versions prior to v1.18.5, a path traversal vulnerability existed in the languages/ directory handling. An authenticated attacker could craft a request that escapes the intended directory, allowing access to arbitrary JSON files on the server's filesystem. The vulnerability stemmed from insufficient path sanitization when loading language files [1][2].
Exploitation
An attacker gains the required path traversal by manipulating the language file parameter in a request. Because the vulnerable code path is exposed to any authenticated user, the attacker only needs a valid account on the forum. By inserting directory traversal sequences (e.g., ../) into the request, the attacker can read any JSON file readable by the NodeBB process [1].
Impact
Successful exploitation enables the attacker to read arbitrary JSON files outside the languages/ directory. This could expose sensitive configuration data, secrets, or other user data stored in JSON format on the server. The impact is particularly severe when combined with other vulnerabilities, such as the server-side template injection described in the Sonar research, which can lead to remote code execution [1].
Mitigation
The vulnerability is patched in NodeBB version v1.18.5, released on 2021-10-27 and announced on 2021-11-29 [3]. Users should upgrade to v1.18.5 or later immediately. No workaround other than upgrading is available [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | >= 1.0.4, < 1.18.5 | 1.18.5 |
Affected products
2- NodeBB/NodeBBv5Range: >= 1.0.4, < 1.18.5
Patches
1c8b2fc46dc69fix: translator path traversal
3 files changed · +11 −2
src/languages.js+5 −1 modified@@ -13,7 +13,11 @@ const files = fs.readdirSync(path.join(paths.nodeModules, '/timeago/locales')); Languages.timeagoCodes = files.filter(f => f.startsWith('jquery.timeago')).map(f => f.split('.')[2]); Languages.get = async function (language, namespace) { - const data = await fs.promises.readFile(path.join(languagesPath, language, `${namespace}.json`), 'utf8'); + const pathToLanguageFile = path.join(languagesPath, language, `${namespace}.json`); + if (!pathToLanguageFile.startsWith(languagesPath)) { + throw new Error('[[error:invalid-path]]'); + } + const data = await fs.promises.readFile(pathToLanguageFile, 'utf8'); const parsed = JSON.parse(data) || {}; const result = await plugins.hooks.fire('filter:languages.get', { language,
test/posts.js+1 −1 modified@@ -1,7 +1,7 @@ 'use strict'; -const assert = require('assert'); +const assert = require('assert'); const async = require('async'); const request = require('request'); const nconf = require('nconf');
test/translator.js+5 −0 modified@@ -35,6 +35,11 @@ describe('Translator shim', () => { const translated = await shim.translate('', 'en-GB'); assert.strictEqual(translated, ''); }); + + it('should not allow path traversal', async () => { + const t = await shim.translate('[[../../../../config:secret]]'); + assert.strictEqual(t, 'secret'); + }); }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-pfj7-2qfw-vwgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43788ghsaADVISORY
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shotghsaWEB
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/mitrex_refsource_MISC
- github.com/NodeBB/NodeBB/commit/c8b2fc46dc698db687379106b3f01c71b80f495fghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/releases/tag/v1.18.5ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-pfj7-2qfw-vwgmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.