CVE-2022-46164

Description

### Impact Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. ### Patches Patched in 2.6.1 ### Workarounds Site maintainers can cherry-pick https://github.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8 into their codebase to patch the exploit. ### For more information If you have any questions or comments about this advisory: Discuss it on [our community forum](https://github.com/NodeBB/NodeBB/security/advisories/community.nodebb.org/) Email us at [support@nodebb.org](mailto:support@nodebb.org)

How to fix CVE-2022-46164

To remediate CVE-2022-46164, upgrade the affected package to a fixed version below.

• —upgrade to 2.6.1 or later

Is CVE-2022-46164 being exploited?

Likely — EPSS is 56.8%, placing CVE-2022-46164 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 2.6.1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-46164
• PATCHgithub.com/NodeBB/NodeBB
• WEBgithub.com/NodeBB/NodeBB/commit/48d143921753914da45926cca6370a92ed0c46b8
• WEBgithub.com/NodeBB/NodeBB/releases/tag/v2.6.1
• WEB