NodeBB Vulnerability: Allowing Attackers to Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads

NodeBB, a widely used open-source forum platform, has been identified as vulnerable to a critical SQL injection flaw in version 4.3.0. This vulnerability, tracked as CVE-2025-50979, exists within the search-categories API endpoint, enabling unauthenticated remote attackers to inject both boolean-based blind and PostgreSQL error-based payloads. Successful exploitation of this flaw could result in unauthorized data access, information disclosure, or further system compromise. The unsanitised search parameter in NodeBB v4.3.0 allows for these SQL injection attacks, which can manipulate the intended logic of SQL statements.

Two proof-of-concept payloads illustrate the severity of the vulnerability. The Boolean-Based Blind Injection payload appends “AND 4638=4638” within the WHERE clause, which always evaluates to true, demonstrating that attackers can control conditional logic. The PostgreSQL Error-Based Injection payload triggers a casting error, revealing attack success through database error messages containing injected markers. NodeBB maintainers have released a patch in version 4.3.1 that properly escapes and parameterises the search input. Administrators are strongly urged to upgrade immediately. For those unable to do so, temporary mitigations include implementing Web Application Firewall rules, restricting API access to trusted IP ranges, and monitoring logs for suspicious patterns. This situation highlights the critical importance of input sanitisation and the need for prepared statements in all SQL interactions. 

Categories: Security Vulnerability, SQL Injection, Software Update 

Tags: NodeBB, SQL Injection, CVE-2025-50979, Search-Categories API, Unauthenticated Access, Boolean-Based Blind Injection, PostgreSQL Error-Based Injection, Data Disclosure, Web Application Firewall, Input Sanitization