CVE-2022-46164
Published: 05 December 2022
Summary
CVE-2022-46164 is a critical-severity Improper Initialization (CWE-665) vulnerability in Nodebb Nodebb. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
NodeBB is an open source Node.js forum platform that uses socket.io for real-time messaging. The vulnerability stems from the use of a plain JavaScript object that retains its prototype in socket.io message handling, which permits prototype pollution. This flaw, tracked as CWE-665, allows a specially crafted payload to manipulate object properties and was assigned a CVSS score of 9.4.
An unauthenticated attacker with network access can send the malicious payload to impersonate other users and fully take over their accounts, achieving high impact on confidentiality and integrity with low attack complexity and no required user interaction.
The official GitHub Security Advisory and accompanying patches state that the issue is resolved in NodeBB 2.6.1. Administrators who cannot upgrade immediately are directed to apply commit 48d143921753914da45926cca6370a92ed0c46b8.
The CVE carries an EPSS score that reached a peak of 0.6349 and currently sits at 0.5684, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7733
Vulnerability details
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has…
more
been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.
Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.