CVE-2021-43788: 
JavaScript vulnerability analysis and mitigation

CVE-2021-43788 is a path traversal vulnerability discovered in NodeBB, an open-source Node.js based forum software. The vulnerability was present in versions prior to v1.18.5, allowing users to access JSON files outside of the expected languages/ directory. The issue was discovered and reported on October 25, 2021, and was patched with the release of version 1.18.5 on October 27, 2021 (GitHub Advisory, SonarSource).

The vulnerability existed in the translation functionality of NodeBB. The application uses translation tags in templates that reference messages stored in JSON files. When resolving a file corresponding to a tag's namespace, the Languages.get function used path.join() without properly validating that the resulting path was within the translation directory. This path traversal vulnerability could be exploited through the og:url meta tag generation, where URL paths were not properly sanitized, allowing attackers to include translation tags that could access files outside the intended directory (SonarSource).

The vulnerability allowed attackers to read any JSON file from the file system, provided it contained valid JSON data. This could be exploited to access sensitive information such as database credentials or session secrets used for cookie verification. The vulnerability received a CVSS v3.1 Base Score of 5.0 (Medium) (NVD).

The vulnerability was patched in NodeBB version 1.18.5 by implementing proper path validation. The fix includes checking if the resulting file path starts with the expected languages directory using pathToLanguageFile.startsWith(languagesPath). Users are advised to upgrade to version 1.18.5 or later. As a temporary workaround, users can cherry-pick commit c8b2fc46dc698db687379106b3f01c71b80f495f if a full upgrade is not immediately possible (GitHub Advisory).

The NodeBB team responded quickly to the reported vulnerability, implementing and releasing patches within two days of the initial report. The researchers were awarded a $1,536 bounty for their findings. The security community praised the quick response and thorough fix implemented by the NodeBB team (SonarSource).