Cyber Resilience

CVE-2022-46164

Critical

Published: 05 December 2022

Published
05 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.5684 98.2th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-46164 is a critical-severity Improper Initialization (CWE-665) vulnerability in Nodebb Nodebb. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

NodeBB is an open source Node.js forum platform that uses socket.io for real-time messaging. The vulnerability stems from the use of a plain JavaScript object that retains its prototype in socket.io message handling, which permits prototype pollution. This flaw, tracked as CWE-665, allows a specially crafted payload to manipulate object properties and was assigned a CVSS score of 9.4.

An unauthenticated attacker with network access can send the malicious payload to impersonate other users and fully take over their accounts, achieving high impact on confidentiality and integrity with low attack complexity and no required user interaction.

The official GitHub Security Advisory and accompanying patches state that the issue is resolved in NodeBB 2.6.1. Administrators who cannot upgrade immediately are directed to apply commit 48d143921753914da45926cca6370a92ed0c46b8.

The CVE carries an EPSS score that reached a peak of 0.6349 and currently sits at 0.5684, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has…

more

been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nodebb
nodebb
≤ 2.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

References