CVE-2025-27506 – nocodb

Package

Manager: npm
Name: nocodb
Vulnerable Version: >=0 <0.258.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00042 pctl0.11907

Details

NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page ### Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. ### Details Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“ https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71 which is rendered by the function renderPasswordReset: https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251 ### PoC Send the request below to a vulnerable instance: `/api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/`  ### Impact The vulnerability affect end-users, allowing an attacker to craft and send a malicious link to the victim which leads running script on their browser. ### Credits [l34k3d](https://github.com/xL34K3D) [ottoboni](https://github.com/gabrielott)

Metadata

Created: 2025-03-06T18:52:17Z
Modified: 2025-08-26T15:39:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-wf6c-hrhf-86cw/GHSA-wf6c-hrhf-86cw.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-wf6c-hrhf-86cw
Finding: F008
Auto approve: 1