CVE-2023-26045

Name of the Vulnerable Software and Affected Versions NodeBB versions 2.5.0 through 2.8.7

Description The issue arises due to the use of object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability. This allows a specially crafted payload to invoke the user export logic and arbitrarily execute javascript files on the local disk.

Recommendations For NodeBB versions 2.5.0 through 2.8.7, update to version 2.8.7 to patch the exploit. As a temporary workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit.