CVE-2025-50979
📋 TL;DR
NodeBB v4.3.0 contains a SQL injection vulnerability in the search-categories API endpoint that allows unauthenticated remote attackers to execute arbitrary SQL queries. This can lead to data theft, data manipulation, or complete database compromise. All systems running the vulnerable version with the API exposed are affected.
💻 Affected Systems
- NodeBB
📦 What is this software?
Nodebb by Nodebb
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of all user data, authentication credentials, and potential remote code execution through database functions.
Likely Case
Data exfiltration from the NodeBB database including user information, private messages, and potentially hashed passwords.
If Mitigated
Limited impact if database permissions are properly restricted and the API endpoint is not internet-facing.
🎯 Exploit Status
Proof of concept available in GitHub repository. Exploitation requires no authentication and uses standard SQL injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.3.1 or later
Vendor Advisory: https://github.com/NodeBB/NodeBB/security/advisories
Restart Required: Yes
Instructions:
1. Backup your NodeBB installation and database. 2. Update NodeBB to v4.3.1 or later using npm update. 3. Restart the NodeBB service. 4. Verify the fix by testing the search-categories endpoint.
🔧 Temporary Workarounds
Disable search-categories endpoint
allTemporarily disable the vulnerable API endpoint until patching is possible
Edit NodeBB configuration to remove or restrict access to /api/v3/search/categories endpoint
Web Application Firewall rule
allBlock SQL injection patterns targeting the search parameter
Add WAF rule to block requests containing SQL keywords in search parameter to /api/v3/search/categories
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the search-categories endpoint
- Restrict network access to the NodeBB API endpoints using firewall rules or reverse proxy configurations
🔍 How to Verify
Check if Vulnerable:
Test the /api/v3/search/categories endpoint with SQL injection payloads like ' OR '1'='1 in the search parameterCheck Version:
npm list nodebb | grep nodebbVerify Fix Applied:
After patching, test the same endpoint with SQL injection payloads and verify they are properly sanitized or rejected📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed requests to /api/v3/search/categories with special characters
- Database query errors containing user-supplied input
Network Indicators:
- HTTP requests to /api/v3/search/categories containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Unusually large responses from the search endpoint
SIEM Query:
source="nodebb.logs" AND uri_path="/api/v3/search/categories" AND (search="*OR*" OR search="*UNION*" OR search="*SELECT*")