Moderate severityNVD Advisory· Published Mar 6, 2025· Updated Mar 6, 2025

NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

CVE-2025-27506

Description

NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“, which is rendered by the function renderPasswordReset. This vulnerability is fixed in 0.258.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nocodbnpm	< 0.258.0	0.258.0

Affected products

Nocodb/Nocodbv5
Range: < 0.258.0

Patches

ea821edb133e

fix: password reset page

https://github.com/nocodb/nocodbPranav CNov 7, 2024via ghsa

commit

3 files changed · +3 −3

packages/nocodb/src/modules/auth/auth.controller.ts+1 −1 modified

@@ -257,7 +257,7 @@ export class AuthController {
           (await import('~/modules/auth/ui/auth/resetPassword')).default,
           {
             ncPublicUrl: process.env.NC_PUBLIC_URL || '',
-            token: JSON.stringify(tokenId),
+            token: tokenId,
             baseUrl: `/`,
           },
         ),

packages/nocodb/src/modules/auth/ui/auth/emailVerify.ts+1 −1 modified

@@ -42,7 +42,7 @@ export default `<!DOCTYPE html>
       valid: null,
       errMsg: null,
       validForm: false,
-      token: <%= token %>,
+      token: '<%= token %>',
       greeting: 'Password Reset',
       formdata: {
         password: '',

packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts+1 −1 modified

@@ -68,7 +68,7 @@ export default `<!DOCTYPE html>
     data: {
       valid: null,
       validForm: false,
-      token: <%= token %>,
+      token: '<%= token %>',
       greeting: 'Password Reset',
       formdata: {
         password: '',

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wf6c-hrhf-86cwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27506ghsaADVISORY
github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.tsghsax_refsource_MISCWEB
github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.tsghsax_refsource_MISCWEB
github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723ghsax_refsource_MISCWEB
github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cwghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000