CVE-2025-29512: Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbit...
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.
Security readout for executives and security teams
Plain-English summary
CVE-2025-29512 is a stored cross-site scripting issue reported in NodeBB v4.0.4 and earlier. An attacker could store script content that later runs when a user interacts with affected blacklist IP functionality, potentially disrupting that function until the content is removed from the database.
Executive priority
Treat this as a moderate web application risk. It warrants timely inventory and remediation planning, especially for public forums, but the supplied evidence does not justify emergency response based on active exploitation.
Technical view
The CVE describes CWE-79 stored XSS with CVSS 3.1 score 6.1, network attack vector, low complexity, no privileges, and required user interaction. Scope is changed with low confidentiality and integrity impact. Structured affected-product data is incomplete, but the title and description name NodeBB v4.0.4 and before.
Likely exposure
Exposure likely applies to organizations running NodeBB v4.0.4 or earlier, especially internet-facing forums. The CVE record’s structured affected fields are listed as n/a, so asset validation should rely on local inventory and vendor project records.
Exploitation context
The provided sources do not state active exploitation, and the CVE is not marked in KEV. The issue is remotely reachable and requires user interaction, so risk is meaningful but not supported as currently exploited by the supplied evidence.
Researcher notes
Primary uncertainty is affected-version precision and remediation status. The CVE text identifies NodeBB v4.0.4 and before, while structured affected fields are n/a. Avoid assuming a fixed version unless confirmed by NodeBB or another cited source.
Mitigation direction
Identify all NodeBB deployments and record exact versions.
Check NodeBB vendor guidance for a fixed release or official workaround.
Prioritize upgrading instances at v4.0.4 or earlier if vendor guidance confirms exposure.
Limit access to administrative blacklist IP functions where operationally feasible.
If the function is broken, remove malicious stored content through approved database recovery procedures.
Validation and detection
Confirm whether each forum is NodeBB and determine its deployed version.
Compare versions against the CVE description: v4.0.4 and before.
Review whether blacklist IP functionality is present and used.
Look for unexpected stored content affecting blacklist IP pages.
Document uncertainty where product metadata or vendor fix information is unavailable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.