5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27506

GHSA ID

GHSA-wf6c-hrhf-86cw

EPSS Score

0.2276%

CWE

CWE-79

Published

3/6/2025

Updated

3/6/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27506

CVE-2025-27506: NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary

The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.

Details

Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting.

The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“ https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
which is rendered by the function renderPasswordReset: https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251

PoC

Send the request below to a vulnerable instance: /api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/

Impact

The vulnerability affect end-users, allowing an attacker to craft and send a malicious link to the victim which leads running script on their browser.

Credits

l34k3d ottoboni

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27506

GHSA ID

GHSA-wf6c-hrhf-86cw

EPSS Score

0.2276%

CWE

CWE-79

Published

3/6/2025

Updated

3/6/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nocodb	npm	< 0.258.0	0.258.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from two key points: (1) The renderPasswordReset function in auth.controller.ts passes the unsanitized tokenId to the EJS template. (2) The template in resetPassword.ts uses the <%- syntax, which does not escape the token value. Together, this allows an attacker to inject arbitrary scripts via the token parameter, leading to reflected XSS. The patch fixed this by wrapping the token in quotes and using secure EJS output methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *PI *n*point r*l*t** to t** p*sswor* r*s*t *un*tion is vuln*r**l* to R**l**t** *ross-Sit*-S*riptin*. ### **t*ils T*rou**out t** sour**-*o** *n*lysis, it **s ***n *oun* t**t t** *n*point /*pi/v*/**/*ut*/p*sswor*/r*s*t/:tok*nI* is v

Reasoning

T** vuln*r**ility *ris*s *rom two k*y points: (*) T** `r*n**rP*sswor*R*s*t` *un*tion in `*ut*.*ontroll*r.ts` p*ss*s t** uns*nitiz** `tok*nI*` to t** *JS t*mpl*t*. (*) T** t*mpl*t* in `r*s*tP*sswor*.ts` us*s t** <%- synt*x, w*i** *o*s not *s**p* t** t

5.4

Basic Information

Concerned about an active attack path?

CVE-2025-27506: NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary

Details

PoC

Impact

Credits

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI