We are notifying you today about a security vulnerability that was present in older versions of NodeBB. We were notified of these vulnerabilities on 25 May 2022, and have patched and released fixed versions of NodeBB, v2.0.1 and v1.19.8, three days later, on 28 May.
The specifics of this vulnerability are available upon request, but they are considered critical and affect the security of any site running an affected version of NodeBB. Admins are urged to upgrade to these patched versions as soon as possible.
Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade:
As always, the NodeBB team is available at your disposal to answer any questions or provide assistance in implementing these changesets.
For more information on the security vulnerability, please visit the GitHub Security Advisory page for this disclosure