CVE-2022-46164: 
JavaScript vulnerability analysis and mitigation

NodeBB, an open source Node.js based forum software, was found to contain a critical vulnerability (CVE-2022-46164) that was disclosed on December 5, 2022. The vulnerability stems from a plain object with a prototype being used in socket.io message handling, which could allow attackers to impersonate other users and take over accounts. This security flaw affects all versions of NodeBB prior to version 2.6.1 (GitHub Advisory).

The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) from NIST and 9.4 (Critical) from GitHub. The flaw exists within the Socket.IO implementation in NodeBB, which enables socket-based communication and handles various forum functions. The vulnerability was caused by using a plain object with a prototype in socket.io message handling, allowing specially crafted payloads to bypass security restrictions (NVD, Security Online).

The vulnerability allows remote attackers to bypass security restrictions, impersonate other users, and take over accounts. The high CVSS scores indicate critical severity with potential for complete system compromise, affecting confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in NodeBB version 2.6.1. Users are strongly advised to upgrade to this version or newer. For users unable to upgrade immediately, a workaround is available by cherry-picking commit 48d143921753914da45926cca6370a92ed0c46b8 into their codebase (GitHub Advisory).