Here at NodeBB, we pride ourselves on producing high-quality and secure code, and we regularly put that to the test by utilising our own software1. However, no code is 100% perfect, and there might be some vulnerabilities and bugs that could critically impact running instances of NodeBB.
As of November 2017, we’ve launched a bug bounty program to supplement our efforts to find these vulnerabilities and to reward those who submit them to us for fixing. Security vulnerabilities can be reported to the NodeBB team by emailing security@nodebb.org.
We take every issue seriously, and aim to triage and deploy a fix as soon as possible.
Our mean time for a first response is: < 1 day.
Our mean time for a committed fix is: 2-3 days.
We will award bounties for verified and qualified vulnerabilities as follows:
curl
command that successfully demonstrates the vulnerabilityIf you are unsure about any of the above limitations, please reach out to us at security@nodebb.org (or use the contact form). We want to empower people to find and disclose vulnerabilities while reducing wasted time (on our part and yours!) as much as possible.
We’ll do our best to prioritise security issues over any other issues at NodeBB, so we would kindly ask you to hold off on disclosure until a time is agreed-upon (typically 30-90 days).
1 Yes, of course we dogfood our own product! It’d be a little sad if we didn’t, wouldn’t it?
Date | Type | Description | Reporter | Fixed in |
---|---|---|---|---|
16/8/2017 | XSS | XSS in chat | Jigar Thakkar | 1.6.0 |
16/8/2017 | Bug | window.opener is defined in target="_blank" links | Jigar Thakkar | N/A |
16/8/2017 | Bug | Password reset route needs brute force prevention measures | Jigar Thakkar | 1.6.0 |
16/8/2017 | Bug | Password reset tokens should expire if email changed | Jigar Thakkar | 1.6.0 |
18/8/2017 | XSS | XSS in Moderation Note at /user//info | Jigar Thakkar | 1.6.0 |
15/9/2017 | Bug | information disclosure in groups api | Andrew Cook | 1.6.1 |
9/10/2017 | XSS | XSS on outgoing url click (javascript: protocol payload) | Larry Yuan | 1.6.1 |
13/10/2017 | XSS | XSS in flag list and details page | Private Report | 1.7.0 |
31/10/2017 | XSS | Stored XSS due to vulnerable image upload handling | Alexander Antukh | 1.7.0 |
8/11/2017 | Bug | Unintentional leakage of private user information in users API | Artur Matczak | 1.7.0 |
29/11/2017 | Bug | Message retrieval via socket (mid) doesn't check uid | Alexander Antukh | 1.7.2 |
30/11/2017 | XSS | Stored XSS in x-forwarded-for | Alexander Antukh | 1.7.2 |
1/12/2017 | XSS | Stored XSS in the admin panel (registration queue), script in email field | Alexander Antukh | 1.7.2 |
1/12/2017 | Bug | User list CSV DoS if referenced as image and pasted many many times | Alexander Antukh | 1.7.2 |
14/12/2017 | Bug | Image upload by URL can leak port status via reflection | Private Report | 1.7.3 |
11/12/2017 | Bug | Information disclosure (IP addresses) via post-geolocation | Artur Matczak | 1.7.3 |
15/1/2018 | Bug | Reset token contained in Referer header when navigating to external links | Ali Razzaq | 1.7.4 |
20/2/2018 | Bug | Token leak in referer header from external resources loaded in reset confirmation page | Private Report | 1.8.0 |
21/2/2018 | Bug | Strict transport security not enforced | Private Report | 1.8.0 |
26/3/2018 | Bug | Password Policy not enforced in password reset route | Mohammed Abdul Raheem | 1.8.2 |
3/4/2018 | Bug | window.opener exposed on outgoing links opened in new tab | Albin Thomas | 1.8.2 |
3/4/2018 | CSRF | no csrf in sso disassociate | Larry Yuan | |
12/4/2018 | XSS | Emoji are not sanitized when put into a link or image URL. | Larry Yuan | (1.9.0) |
3/6/2018 | Bug | Window opener is available if user specifies opening of external links in new tab (noopener not adhered to by ajaxify) | Albin Thomas | 1.10.0 |
5/6/2018 | Other | nodebb.org domain missing DMARC record, SPF is set to softfail | Mohammed Abdul Raheem | N/A |
5/6/2018 | CSRF | SSO implementation missing CSRF/state/nonce protection | Larry Yuan | 1.10.0 |
11/6/2018 | XSS | XSS in Chat "roomName" parameter | Alexander Antukh | 1.10.0 |
22/6/2018 | XSS | XSS in upload from url | Piyush Malik | 1.10.0 |
26/6/2018 | XSS | XSS in composer route | Huzaifa Jawaid | 1.10.0 |
29/6/2018 | Other | Missing session revocation on email change | Shammam Raza | 1.10.1 |
3/7/2018 | Bug | Socket user.deleteAccount has no server-side checks for password correctness | Chakri | 1.10.1 |
4/7/2018 | Bug | Reset code leaked to third-party analytics, etc. due to presence in path | Yeasir Arafat | 1.10.1 |
11/7/2018 | Bug | Change password/email routes do not have brute force protection for password | Vicky Vk | 1.10.2 |
5/9/2018 | XSS | post queue xss | Artur Matczak | 1.10.2 |
10/9/2018 | Bug | Uploading large image hangs nodebb | Buğra Eskici | 1.10.2 |
21/12/2018 | Bug | 2fa can be disabled on login screen | Buğra Eskici | 1.12.0 |
16/01/2019 | Other | Local file traversal | Jacopo Gallelli | 1.12.0 |
21/09/2019 | XSS | SVG upload as cover with malicious js | Qing Wang | 1.13.0 |
30/11/2019 | Bug | User profile page shows content of deleted posts | Yossi Zahn | 1.13.1 |
16/12/2019 | Bug | Composer open redirection | Patrick Philip Sanchez | 1.13.1 |
7/1/2020 | Privilege Escalation | Privilege escalation to admin | opliko | 1.13.2 |
11/1/2020 | Bug | xss in language field on settings page | Numan Turle | 1.13.2 |
15/1/2020 | XSS | xss in topic thumb upload | Numan Turle | 1.13.2 |
17/1/2020 | Bug | xss on user settings page homepageRoute/bootswatchSkin | Numan Turle | 1.13.2 |
15/1/2020 | Bug | xss on flags state page | Numan Turle | 1.13.2 |
18/1/2020 | Other | local file deletion by admin/gmod only | Numan Turle | 1.13.2 |
19/1/2020 | XSS | xss on ?register query param | Numan Turle | 1.13.2 |
19/1/2020 | XSS | xss on room system messages | Numan Turle | 1.13.2 |
23/1/2020 | Bug | hidden email leak when creating flag | Numan Turle | 1.13.2 |
24/1/2020 | Privilege Escalation | ability to change owner without permission | Numan Turle | 1.13.2 |
25/1/2020 | XSS | xss by global mod in ip blacklist | Numan Turle | 1.13.2 |
19/07/2020 | Other | Reverse tabnabbing in post images | BugUsr | 1.14.0 |
19/06/2020 | Other | Long-lived profiles expose DoS capability via profile export | Boomzilla | |
20/06/2020 | Other | Ability to delete files from local file system | BugUsr | 1.14.0 |
20/06/2020 | Other | Ability to overwrite local files via admin upload | BugUsr | 1.14.0 |
9/7/2020 | Other | Overwrite files with group cover image upload | BugUsr | 1.14.2 |
12/8/2020 | Privilege Escalation | Privilege escalation via account takeover | Muhammed Eren Uygun | 1.14.3 |
24/09/2020 | Other | Able to install arbitrary git repos via ACP plugins system | Numan Turle | 1.15.0 |
09/10/2020 | Bug | RSS category feed shows deleted topics | Utkrsh | 1.15.0 |
12/10/2020 | Bug | Reset token not invalidated upon account password change | Saiful Islam | 1.15.0 |
15/10/2020 | Bug | Ability to change specified user profile settings (idor) | s1m0x | 1.15.0 |
2/11/2020 | Bug | No password length check on /register | Hamza Farooqi | 1.15.0/1.15.1 |
20/11/2020 | Bug | Topic thumb accepts arbitrary user input via composer (should only allow uploaded files) | s1m0x | 1.15.3 |
09/04/2021 | XSS | XSS in custom flag reason, leads to priv escalation via socket call | Artur Matczak | 1.17.0 |
11/06/2021 | Other | Successive reset tokens do not invalidate prior generated tokens | Sammam Raza | 1.17.2 |
11/06/2021 | Other | Email enumeration in user email edit and registration endpoints | Sammam Raza | 1.17.3/1.18.0 |
11/06/2021 | Bug | Account takeover via Google SSO plugin (via shared link to /auth/callback with valid code) | Mar0uane | 1.17.2 |
11/06/2021 | Bug | Reset token remains valid after successful login | Sammam Raza | 1.17.2 |
12/06/2021 | Bug | v3 users API leaks PII (email) | Sammam Raza | 1.17.2 |
25/10/2021 | Bug | Path traversal bug in translator module | Paul Gerste | 1.18.5 |
25/10/2021 | Bug | Prototype pollution in uploader | Paul Gerste | 1.18.5 |
25/10/2021 | Bug | Auth bypass in write api verifyToken | Paul Gerste | 1.18.5 |