NodeBB Pre-Authentication Denial-of-Service
CVE-2023-30591

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
29 September 2023

What is CVE-2023-30591?

A vulnerability in NodeBB versions up to v2.8.10 allows unauthenticated attackers to exploit the system by sending malicious Socket.IO messages. This is achieved through crafted messages that contain an array or object type for the event name, triggering the eventName.startsWith() or eventName.toString() functions, ultimately leading to a crash of the NodeBB application. It is recommended for users to upgrade to the patched versions to mitigate this risk.

Affected Version(s)

NodeBB 0 <= 2.8.10

References

EPSS Score

53% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
.