NocoDB, Reflected Cross-Site Scripting (XSS), CVE-2025-XXXX (Critical)

How the CVE Works:

The vulnerability in NocoDB lies in the password reset functionality, specifically in the API endpoint /api/v1/db/auth/password/reset/:tokenId. The issue arises due to the insecure use of the EJS (Embedded JavaScript) template engine. The `resetPassword.ts` file utilizes the `<%-` function, which does not properly sanitize user input. This allows an attacker to inject malicious JavaScript code into the `tokenId` parameter. When the server renders the template, the injected script is executed in the victim's browser, leading to a Reflected Cross-Site Scripting (XSS) attack. The vulnerability is triggered when a victim clicks on a crafted malicious link containing the payload.

DailyCVE Form:

Platform: NocoDB
Version: Pre-2025 patches
Vulnerability: Reflected XSS
Severity: Critical
Date: Mar 6, 2025
(End of form)

What Undercode Say:

Exploitation:

1. Craft a malicious URL with a JavaScript payload in the `tokenId` parameter:

`/api/v1/db/auth/password/reset/`

2. Encode the payload to bypass basic filters:

`/api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E`

1. Send the link to the victim. When clicked, the script executes in their browser.

Protection:

1. Sanitize user input using libraries like `DOMPurify` or validator.js.
2. Replace `<%-` with `<%=` in EJS templates to escape HTML characters.
3. Implement Content Security Policy (CSP) headers to restrict script execution:

`Content-Security-Policy: default-src ‘self’; script-src ‘self’;`

4. Update NocoDB to the latest patched version.

Commands:

1. Check for vulnerable versions:

`npm list nocodb`

2. Apply patches:

`npm update nocodb`

References:

1. GitHub Advisory: bash
2. EJS Documentation: bash
3. DOMPurify: bash

Code Snippets:

1. Sanitize input in EJS:

[javascript]
const sanitize = require(‘sanitize-html’);
const cleanInput = sanitize(userInput);
[/javascript]

2. Secure EJS rendering:

[ejs]
<%= userInput %>
[/ejs]

Analytics:

• Affected Users: All NocoDB instances using pre-2025 versions.
• Risk Level: Critical due to potential session hijacking and data theft.
• Mitigation Adoption: Patch adoption rate is critical to reducing exploitation.
  By following these steps, users can protect their systems from this critical vulnerability.

References:

Reported By: https://github.com/advisories/GHSA-wf6c-hrhf-86cw
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2

Join Our Cyber World:

Whatsapp
Telegram