NodeBB vulnerable to path traversal and code execution via prototype vulnerability
Description
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NodeBB forum software versions 2.5.0 to 2.8.6 allow arbitrary JavaScript execution via path traversal and object destructuring in user export.
Root
Cause NodeBB versions 2.5.0 through 2.8.6 contain a vulnerability in the user export functionality. The code uses object destructuring assignment (const { uid, type } = data) which allows an attacker to overwrite the type parameter. Combined with a path traversal issue, a crafted payload can cause the application to include arbitrary JavaScript files from the local filesystem [1][3].
Exploitation
An authenticated attacker can invoke the user export API with a specially crafted payload that sets the type parameter to a path traversal sequence (e.g., ../). This bypasses the intended validation and forces NodeBB to load and execute a JavaScript file from an arbitrary location on the server [4]. The attack requires user interaction? No, but the attacker must be able to send the export request.
Impact
Successful exploitation allows arbitrary code execution on the NodeBB server, potentially leading to full compromise of the application and underlying system. The vulnerability is rated high severity due to the ease of remote exploitation and the lack of required privileges beyond a valid account [1].
Mitigation
The issue is patched in NodeBB version 2.8.7. Site maintainers unable to upgrade can cherry-pick the commit that adds validation of the type parameter (commit ec58700) to prevent the path traversal [4]. No known public exploits have been reported at the time of disclosure.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | >= 2.5.0, < 2.8.7 | 2.8.7 |
Affected products
2- NodeBB/NodeBBv5Range: >= 2.5.0, < 2.8.7
Patches
1ec58700f6dfffix: object destructuring overwriting type parameter
2 files changed · +5 −1
src/api/users.js+4 −0 modified@@ -443,6 +443,10 @@ usersAPI.changePicture = async (caller, data) => { }; usersAPI.generateExport = async (caller, { uid, type }) => { + const validTypes = ['profile', 'posts', 'uploads']; + if (!validTypes.includes(type)) { + throw new Error('[[error:invalid-data]]'); + } const count = await db.incrObjectField('locks', `export:${uid}${type}`); if (count > 1) { throw new Error('[[error:already-exporting]]');
src/socket.io/user/profile.js+1 −1 modified@@ -74,6 +74,6 @@ module.exports = function (SocketUser) { await user.isAdminOrSelf(socket.uid, data.uid); - api.users.generateExport(socket, { type, ...data }); + api.users.generateExport(socket, { type, uid: data.uid }); } };
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vh2g-6c4x-5hmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26045ghsaADVISORY
- github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmpghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20230831-0004ghsaWEB
- security.netapp.com/advisory/ntap-20230831-0004/mitre
News mentions
0No linked articles in our index yet.