CVE-2025-31120
📋 TL;DR
This vulnerability allows unauthenticated attackers to artificially inflate forum view counts in NamelessMC. The insecure mechanism relies on client-side cookies to track views, so requests without the cookie cause the counter to increment incorrectly. This affects all NamelessMC installations running version 2.1.4 or earlier.
💻 Affected Systems
- NamelessMC
📦 What is this software?
Nameless by Namelessmc
⚠️ Risk & Real-World Impact
Worst Case
Forum view statistics become completely unreliable, potentially undermining community engagement metrics and making popularity-based features meaningless.
Likely Case
Attackers can easily manipulate view counts to make certain topics appear more popular than they actually are, potentially influencing user behavior.
If Mitigated
With proper patching, view counts accurately reflect genuine user engagement and cannot be artificially manipulated.
🎯 Exploit Status
Exploitation requires no authentication and can be performed by simply clearing cookies or using tools that don't send cookies with requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.0
Vendor Advisory: https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download NamelessMC v2.2.0 from the official GitHub releases. 3. Replace all files with the new version (except custom themes/modules). 4. Run the update script if prompted. 5. Clear any caching mechanisms.
🔧 Temporary Workarounds
Disable Forum View Counting
allTemporarily disable the view counting feature in forum settings to prevent manipulation until patching.
🧯 If You Can't Patch
- Implement rate limiting on forum page requests to limit the speed of view count manipulation.
- Monitor forum view count anomalies and implement alerting for suspicious activity patterns.
🔍 How to Verify
Check if Vulnerable:
Check if forum view counts increment when accessing topics with cookies disabled or cleared. If views increase with each refresh without cookies, the system is vulnerable.Check Version:
Check the version.php file or admin panel for version number. Should show 2.2.0 or higher after patching.Verify Fix Applied:
After patching, verify that forum view counts only increment once per session when cookies are present, and don't increment on repeated refreshes without cookies.📡 Detection & Monitoring
Log Indicators:
- Unusually high frequency of forum topic views from single IP addresses
- Forum view counts increasing at implausible rates compared to user activity
Network Indicators:
- Multiple rapid requests to forum topic pages without cookies being sent
SIEM Query:
source="web_logs" AND uri="/forum/topic/*" AND count by src_ip > 100 per hour AND user_agent contains "automated" OR cookie=""🔗 References
- https://github.com/NamelessMC/Nameless/commit/9b112c0beab346a38b6f5a51e7773b38c6fc52e7
- https://github.com/NamelessMC/Nameless/releases/tag/v2.2.0
- https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646
- https://github.com/NamelessMC/Nameless/security/advisories/GHSA-8jv7-77jw-h646
