Listen to this Post
How CVE-2025-29513 Works
This vulnerability exploits insufficient input sanitization in NodeBB’s admin API access token generator (v4.0.4 and prior). Attackers inject malicious JavaScript payloads into token metadata fields, which are stored and executed when administrators view the token management interface. The attack leverages the `admin.tokens.generate` API endpoint, where crafted `description` or `label` parameters bypass HTML filters. Persistent XSS occurs due to improper `content-security-policy` headers and lack of output encoding in the admin dashboard’s token listing view.
DailyCVE Form:
Platform: NodeBB
Version: ≤4.0.4
Vulnerability: Stored XSS
Severity: Critical
Date: 2025-04-18
What Undercode Say:
Exploitation:
1. Craft malicious token:
curl -X POST 'https://[bash]/api/v3/admin/tokens/generate' \
-H 'Authorization: Bearer [bash]' \
-d '{"description":"<script>alert(document.cookie)</script>"}'
2. Trigger execution:
Admin visits `/admin/settings/api`—payload auto-executes.
Protection:
1. Patch: Upgrade to NodeBB ≥4.0.5.
2. Input Sanitization:
const sanitize = require('sanitize-html');
const cleanDesc = sanitize(userInput, { allowedTags: [] });
3. CSP Header:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'";
4. Output Encoding:
<div>{{{escapeHtml token.description}}}</div>
5. Log Monitoring:
grep -r "admin.tokens.generate" /var/log/nodebb/
Analytics:
- Attack Vector: Remote, Low Complexity
- Privilege Escalation: Yes (Admin Hijack)
- Exploitability: High (No Auth Required Post-Compromise)
Detection:
Check installed version: grep '"version"' /path/to/nodebb/package.json
Mitigation Workaround:
// Disable token generation temporarily:
router.post('/admin/tokens/generate', (req, res) => res.status(403).end());
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
