Moderate severityNVD Advisory· Published Nov 13, 2022· Updated Apr 15, 2025

NodeBB abort cross-site request forgery

CVE-2022-3978

Description

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NodeBB up to 2.5.7 has a CSRF vulnerability on /register/abort endpoint allowing remote attackers to abort registration without user consent.

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability was discovered in the NodeBB forum software affecting versions up to and including 2.5.7. The issue resides in the /register/abort endpoint, which lacks proper CSRF token validation [1][2]. This allows an attacker to force a victim's browser to make an unauthorized request to abort their registration process.

Exploitation

The attack can be initiated remotely by tricking an authenticated user into visiting a malicious web page or clicking a crafted link [1]. The victim must have an active registration session in NodeBB. The attacker does not need any special privileges, as the CSRF token check is missing entirely [2][4].

Impact

Successful exploitation forces the victim's registration to be aborted, potentially denying them access to the forum. This could be used to disrupt user onboarding or as part of a larger attack chain. The impact is limited to registration disruption, and as noted in the issue tracker, local access was originally considered required but the CVE designates it as remotely exploitable [1][4].

Mitigation

The vulnerability is fixed in NodeBB version 2.5.8, which includes a patch that adds CSRF token validation to the /register/abort endpoint [2][3]. Users are strongly advised to upgrade to this version or apply the commit 2f9d8c3 to mitigate the risk.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nodebbnpm	< 2.5.8	2.5.8

Affected products

ghsa-coords
pkg:npm/nodebb
Range: < 2.5.8
unspecified/NodeBBv5
Range: 2.5.0

Patches

2f9d8c350e54

fix: pass csrf_token into calls to /register/abort, #11017

https://github.com/NodeBB/NodeBBJulian LamNov 9, 2022via ghsa

commit

3 files changed · +8 −5

test/api.js+1 −1 modified

@@ -485,7 +485,7 @@ describe('API', async () => {
 					const affectedPaths = ['GET /api/user/{userslug}/edit/email'];
 					if (affectedPaths.includes(`${method.toUpperCase()} ${path}`)) {
 						await request({
-							uri: `${nconf.get('url')}/register/abort`,
+							uri: `${nconf.get('url')}/register/abort?_csrf=${csrfToken}`,
 							method: 'POST',
 							jar,
 							simple: false,

test/controllers.js+4 −2 modified

@@ -1237,8 +1237,10 @@ describe('Controllers', () => {
 
 	describe('account pages', () => {
 		let jar;
+		let csrf_token;
+
 		before(async () => {
-			({ jar } = await helpers.loginUser('foo', 'barbar'));
+			({ jar, csrf_token } = await helpers.loginUser('foo', 'barbar'));
 		});
 
 		it('should redirect to account page with logged in user', (done) => {
@@ -1802,7 +1804,7 @@ describe('Controllers', () => {
 			assert.strictEqual(res.body, '/register/complete');
 
 			await requestAsync({
-				uri: `${nconf.get('url')}/register/abort`,
+				uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
 				method: 'post',
 				jar,
 				simple: false,

test/user.js+3 −2 modified

@@ -814,6 +814,7 @@ describe('User', () => {
 	describe('profile methods', () => {
 		let uid;
 		let jar;
+		let csrf_token;
 
 		before(async () => {
 			const newUid = await User.create({ username: 'updateprofile', email: 'update@me.com', password: '123456' });
@@ -822,7 +823,7 @@ describe('User', () => {
 			await User.setUserField(uid, 'email', 'update@me.com');
 			await User.email.confirmByUid(uid);
 
-			({ jar } = await helpers.loginUser('updateprofile', '123456'));
+			({ jar, csrf_token } = await helpers.loginUser('updateprofile', '123456'));
 		});
 
 		it('should return error if not logged in', async () => {
@@ -1287,7 +1288,7 @@ describe('User', () => {
 
 			// Accessing this page will mark the user's account as needing an updated email, below code undo's.
 			await requestAsync({
-				uri: `${nconf.get('url')}/register/abort`,
+				uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
 				jar,
 				method: 'POST',
 				simple: false,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5gwx-wf9g-r5mxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-3978ghsaADVISORY
github.com/NodeBB/NodeBB/commit/2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38ghsaWEB
github.com/NodeBB/NodeBB/issues/11017ghsaWEB
github.com/NodeBB/NodeBB/releases/tag/v2.5.8ghsaWEB
vuldb.comghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000