It is basically the same vulnerability exploited with a different socket call. The initial fix in 2.6.1 only prevented a specific case, the fix in 2.8.1 should cover all cases.
You can either upgrade to 2.8.1 or only get the changes from the specific commit.
NodeBB 2.8.7 Security Update
A bug in our message parsing code can result in remote code execution.
Affected versions >=2.5.0 <2.8.7
We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.
The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.
If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092
Copyright © 2023 NodeBB | Contributors