NodeBB, Cross-Site Scripting (XSS), CVE-2025-29512 (Critical)

By /

Listen to this Post

How CVE-2025-29512 Works

This stored XSS vulnerability in NodeBB v4.0.4 and prior allows attackers to inject malicious JavaScript payloads into the platform’s IP blacklist functionality. When an administrator views the blacklisted IPs section, the injected script executes in their browser context, enabling session hijacking, CSRF attacks, or disruption of moderation controls. The attack persists until manually removed from the database, potentially rendering the IP blocking feature unusable. The vulnerability stems from improper input sanitization when processing IP addresses in the moderation panel.

DailyCVE Form

Platform: NodeBB
Version: ≤4.0.4
Vulnerability: Stored XSS
Severity: Critical
Date: 04/23/2025

What Undercode Say:

Exploitation:

fetch('/admin/blacklist', {
method: 'POST',
body: 'ip=<script>alert(document.cookie)</script>&reason=exploit'
});

Detection:

grep -r "innerHTML.blacklist" /var/www/nodebb/

Patch Verification:

// Check sanitization in NodeBB v4.0.5+
const sanitize = require('sanitize-html');
console.log(sanitize('<script>test</script>'));

Mitigation Commands:

Immediate workaround
sudo sed -i 's/unsafeHTML/sanitizeHTML/g' /var/www/nodebb/src/controllers/blacklist.js
Database cleanup
mongo nodebb --eval 'db.blacklist.updateMany({}, { $unset: { notes: "" } })'

Nginx WAF Rule:

location /admin/blacklist {
modsecurity_rules 'SecRule ARGS "@detectXSS" deny,status:403";
}

Log Analysis:

cat /var/log/nodebb.log | grep -E 'POST /blacklist|XSS|script'

CSP Header (Temporary Fix):

res.setHeader("Content-Security-Policy", "default-src 'self'");

Exploit Conditions:

if nodebb_version <= "4.0.4" and user_role == "admin":
execute_xss_payload()

Backup Before Patching:

tar -czvf nodebb_backup_$(date +%F).tar.gz /var/www/nodebb/

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top