CVE-2022-46164

Name of the Vulnerable Software and Affected Versions NodeBB versions prior to 2.6.1

Description The issue arises from a plain object with a prototype being used in socket.io message handling, allowing a specially crafted payload to impersonate other users and takeover accounts.

Recommendations For versions prior to 2.6.1, upgrade to version 2.6.1 to patch the exploit. As a temporary workaround for users unable to upgrade, cherry-pick commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit.