Critical severityNVD Advisory· Published Dec 5, 2022· Updated Apr 23, 2025
Account takeover via prototype vulnerability
CVE-2022-46164
Description
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | < 2.6.1 | 2.6.1 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rf3g-v8p5-p675ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-46164ghsaADVISORY
- github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/releases/tag/v2.6.1ghsaWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-rf3g-v8p5-p675ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.