Reflected Cross-Site Scripting Vulnerability in NocoDB Password Reset Function
CVE-2025-27506

5.4MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 6 March 2025

What is CVE-2025-27506?

NocoDB, a platform that allows users to construct databases as spreadsheets, contains a reflected cross-site scripting vulnerability in its password reset functionality. Specifically, the flaw lies within the API endpoint responsible for handling password resets, located at /api/v1/db/auth/password/reset/:tokenId. The vulnerability arises from the use of an insecure client-side template engine, 'ejs,' particularly within the resetPassword.ts file. This implementation incorrectly utilizes the '<%-' function, which compromises the application’s security by allowing attackers to inject malicious scripts. Users are urged to upgrade to version 0.258.0 to mitigate this risk.

Affected Version(s)

nocodb < 0.258.0

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nocodb/nocodb/commit/ea821edb133e621e2...

x_refsource_MISC

https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 6, 2025
Vulnerability Reserved
Feb 26, 2025

Nocodb

What is CVE-2025-27506?

Affected Version(s)

References

CVSS V3.1

Timeline