All of us at NodeBB are committed to delivering fully-secure, bug-free software. At the same time, we believe in full transparency when it comes to disclosing security vulnerabilities
Today’s blog post reveals a trio of security vulnerabilities that were present in prior releases of NodeBB. We were notified of these vulnerabilities the week of 25 October 2021, and have patched and released a fixed version of NodeBB, v1.18.5, two days later, on 27 October.
The specifics of these vulnerabilities are available upon request, but they are considered critical and affect the security of the site. All site administrators are urged to upgrade to this patched version (v1.18.5) as soon as possible.
Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade. These individual commits each patch a single vulnerability:
- c8b2fc46dc698db687379106b3f01c71b80f495f
- 1783f918bc19568f421473824461ff2ed7755e4c
- 04dab1d550cdebf4c1567bca9a51f8b9ca48a500
These vulnerabilities were revealed to us by Paul Gerste at SonarSource, who has provided a very detailed write-up of the vulnerabilities, and how they affect running NodeBB systems. The vulnerabilities were submitted to the NodeBB team as part of our Bug Bounty Program, and the associated payout for this disclosure was $512 USD x 3 ($1,536 USD), as all three vulnerabilities were ranked critical in severity.
For more information on upgrading your NodeBB instance, please see our knowledge base article on Upgrading NodeBB.