NodeBB 2.8.1 Security Update

baris

A bug in our socket.io message parsing code can result in privilege escalation by sending a specially crafted socket.io call to the server.

We have resolved this in the latest version of NodeBB(2.8.1), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.1 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.1.

If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/586eed1407a78a1c1ec3af9bef3866104d3ef7cd

This is related to the previous vulnerability mentioned in https://community.nodebb.org/topic/16829/nodebb-2-6-1-security-update/1

eeeee

Im confused by this post as I thought this vulnerability had neen fixed since v2.6.1?
but this post infers the fix is only in now.
So for clarification, say you are running v2.8, does it require upgrade to include the vulnerability fix?

PitaJ

@eeeee that was a similar but separate vulnerability

baris

It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
You can either upgrade to 2.8.1 or only get the changes from the specific commit.