Starinfar

**Name of the Vulnerable Software and Affected Versions** NodeBB versions 2.5.0 through 2.8.7 **Description** The issue arises due to the use of object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability. This allows a specially crafted payload to invoke the user export logic and arbitrarily execute javascript files on the local disk. **Recommendations** For NodeBB versions 2.5.0 through 2.8.7, update to version 2.8.7 to patch the exploit. As a temporary workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.