CVE-2025-27506
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-27506
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27506.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-27506
- Aliases
- Published
- 2025-03-06T19:15:27Z
- Modified
- 2025-07-29T11:21:16.231648Z
- Summary
- [none]
- Details
-
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“, which is rendered by the function renderPasswordReset. This vulnerability is fixed in 0.258.0.
- References
-
- https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw
- https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723
- https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251
- https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
Affected packages
Git / github.com/nocodb/nocodb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nocodb/nocodb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.100.0
0.100.1
0.100.2
0.101.0
0.101.0-beta.0
0.101.2
0.104.1
0.104.2
0.104.3
0.105.0
0.105.1
0.105.2
0.105.3
0.106.0
0.106.0-beta.0
0.106.0-beta.1
0.106.1
0.107.0
0.107.0-beta.0
0.107.0-beta.1
0.107.1
0.107.2
0.107.3
0.107.4
0.107.5
0.108.0
0.108.0-beta.0
0.108.1
0.109.0
0.109.1
0.109.2
0.109.3
0.109.4
0.109.5
0.109.6
0.109.7
0.11.0
0.11.1
0.11.10
0.11.11
0.11.12
0.11.14
0.11.15
0.11.16
0.11.17
0.11.18
0.11.19
0.11.20
0.11.21
0.11.22
0.11.23
0.11.24
0.11.25
0.11.26
0.11.28
0.11.29
0.11.3
0.11.30
0.11.31
0.11.32
0.11.33
0.11.34
0.11.36
0.11.39
0.11.4
0.11.40
0.11.41
0.11.42
0.11.43
0.11.44
0.11.45
0.11.46
0.11.5
0.11.6
0.11.7
0.11.9
0.111.0
0.111.1
0.111.2
0.111.3
0.111.4
0.200.0
0.202.0
0.202.10
0.202.4
0.202.5
0.202.6
0.202.7
0.202.8
0.202.9
0.203.0
0.203.1
0.203.2
0.204.0
0.204.1
0.204.2
0.204.3
0.204.4
0.204.5
0.204.6
0.204.7
0.204.8
0.204.9
0.205.0
0.205.1
0.207.0
0.207.1
0.207.2
0.207.3
0.250.0
0.250.1
0.250.2
0.251.0
0.251.1
0.251.2
0.251.3
0.252.0
0.253.0
0.255.0
0.255.1
0.255.2
0.256.0
0.257.0
0.257.2
0.4.5
0.4.8
0.4.9
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.83.1
0.83.2
0.83.3
0.83.4
0.83.5
0.83.6
0.83.8
0.84.1
0.84.10
0.84.12
0.84.13
0.84.14
0.84.15
0.84.16
0.84.2
0.84.3
0.84.6
0.84.7
0.84.8
0.84.9
0.9
0.90.0
0.90.1
0.90.10
0.90.11
0.90.2
0.90.3
0.90.4
0.90.5
0.90.7
0.90.8
0.90.9
0.91.0
0.91.1
0.91.10
0.91.6
0.91.7
0.91.8
0.91.9
0.92.0
0.92.1
0.92.2
0.92.3
0.92.4
0.96.0
0.96.1
0.96.2
0.96.4
0.97.0
0.98.1
0.98.2
0.98.3
0.98.4
0.99.0
0.99.1
0.99.2
v0.*
v0.10.0
v0.4.2
v0.4.4