NodeBB Pre-Authentication Denial-of-Service
CVE-2023-30591
7.5HIGH
What is CVE-2023-30591?
A vulnerability in NodeBB versions up to v2.8.10 allows unauthenticated attackers to exploit the system by sending malicious Socket.IO messages. This is achieved through crafted messages that contain an array or object type for the event name, triggering the eventName.startsWith() or eventName.toString() functions, ultimately leading to a crash of the NodeBB application. It is recommended for users to upgrade to the patched versions to mitigate this risk.
Affected Version(s)
NodeBB 0 <= 2.8.10
References
EPSS Score
53% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
