CVE-2021-43786: 
JavaScript vulnerability analysis and mitigation

NodeBB versions before 1.18.5 contained a critical authentication bypass vulnerability (CVE-2021-43786) in the token verification mechanism. The vulnerability allowed attackers to bypass API authentication and gain unauthorized master token access, which could lead to remote code execution capabilities on NodeBB instances. The issue was discovered and reported by Paul Gerste from SonarSource in October 2021 (SonarSource Blog, GitHub Advisory).

The vulnerability existed in the token verification function where incorrect logic in the object creation and property lookup allowed attackers to exploit inherited properties from Object.prototype. When tokens were loaded, they were merged into an object where inherited properties like toString or constructor became valid Bearer tokens. The lookup checked if a property was present using the provided token as the key, which worked for these inherited properties. Since the values of inherited properties were either functions or objects, they would parse to NaN when checked, resulting in authentication succeeding with master privileges (SonarSource Blog).

The vulnerability allowed unauthenticated attackers to gain master token access to the API, which could be used to perform actions on behalf of any user, including administrators. This access could ultimately lead to remote code execution on the NodeBB server, regardless of its configuration. Attackers didn't need an account or any prior information to exploit the vulnerability (SonarSource Blog).

The vulnerability was patched in NodeBB version 1.18.5. The fix involved changing the token verification logic to skip the conversion from array to object entirely and instead search the array for a matching entry. Users are strongly advised to upgrade to at least version 1.18.5. As a temporary workaround, users can cherry-pick commit hash 04dab1d to receive the patch without performing a full upgrade (GitHub Advisory, SonarSource Blog).

The NodeBB team responded quickly to the reported vulnerability, implementing and releasing patches promptly. They awarded a $1,536 bounty to the researcher for discovering the vulnerability. The security community highlighted the severity of this vulnerability due to its ease of exploitation and potential impact (SonarSource Blog).