{"id":6539,"date":"2025-08-30T10:06:01","date_gmt":"2025-08-30T10:06:01","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/30\/nodebb-vulnerability-let-attackers-inject-boolean-based-blind-and-postgresql-error-based-payloads\/"},"modified":"2025-08-30T10:06:01","modified_gmt":"2025-08-30T10:06:01","slug":"nodebb-vulnerability-let-attackers-inject-boolean-based-blind-and-postgresql-error-based-payloads","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/30\/nodebb-vulnerability-let-attackers-inject-boolean-based-blind-and-postgresql-error-based-payloads\/","title":{"rendered":"NodeBB Vulnerability Let Attackers Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads"},"content":{"rendered":"

NodeBB Vulnerability Let Attackers Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

NodeBB, a popular open-source forum platform, has been found vulnerable to a critical SQL injection flaw <\/a>in version 4.3.0.\u00a0<\/p>\n

The flaw, tracked as CVE-2025-50979, resides in the search-categories API endpoint, allowing unauthenticated, remote attackers to inject both boolean-based blind and PostgreSQL error-based payloads.\u00a0<\/p>\n

Successful exploitation could lead to unauthorized data access, information disclosure, or further system compromise.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. NodeBB v4.3.0\u2019s unsanitized search parameter allows unauthenticated SQL injection.
2. Exploits include Boolean-based blind and PostgreSQL error-based payloads.
3. Upgrade or use WAF rules, IP restrictions, and log monitoring.<\/pre>\n
SQL Injection Vulnerability<\/strong><\/h2>\n
In NodeBB v4.3.0, the search parameter in the search-categories API is not properly sanitized before being passed to the underlying SQL query builder.\u00a0<\/p>\n
Consequently, specially crafted payloads can alter the intended logic of the SQL statements. Two proof-of-concept payloads demonstrate the severity:<\/p>\n
Boolean-Based Blind Injection:<\/strong><\/p>\n
\n
\"NodeBB<\/figure>\n<\/div>\n
This payload appends AND 4638=4638 within the WHERE clause, which always evaluates to true, illustrating that the attacker can control conditional logic.<\/p>\n
PostgreSQL Error-Based Injection:<\/strong><\/p>\n
\n
\"NodeBB<\/figure>\n<\/div>\n
This payload triggers a PostgreSQL casting error, revealing attack success through database error messages containing injected markers.<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nNodeBB v4.3.0<\/td>\n<\/tr>\n
Impact<\/td>\nUnauthorized data access, information disclosure, and arbitrary SQL execution<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nRemote HTTP access to; no authentication required<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n9.8 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Mitigations<\/strong><\/h2>\n
Attackers exploiting CVE-2025-50979 can read or modify sensitive data, escalate privileges<\/a> within the forum, and execute arbitrary SQL commands.\u00a0<\/p>\n
Publicly exposed NodeBB instances are at particular risk, especially those configured without stringent firewall rules or running behind permissive reverse proxies.<\/p>\n
NodeBB maintainers have<\/a> released a patch in version 4.3.1, which properly escapes and parameterizes the search input.\u00a0<\/p>\n
Administrators are urged to upgrade immediately. For those unable to upgrade promptly, temporary mitigations include:<\/p>\n