LiveActive security incident?Get immediate response
CVE Record

CVE-2025-29512: Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbit...

Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.

MediumCVSS 6.1Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-29512 is a stored cross-site scripting issue reported in NodeBB v4.0.4 and earlier. An attacker could store script content that later runs when a user interacts with affected blacklist IP functionality, potentially disrupting that function until the content is removed from the database.

Executive priority

Treat this as a moderate web application risk. It warrants timely inventory and remediation planning, especially for public forums, but the supplied evidence does not justify emergency response based on active exploitation.

Technical view

The CVE describes CWE-79 stored XSS with CVSS 3.1 score 6.1, network attack vector, low complexity, no privileges, and required user interaction. Scope is changed with low confidentiality and integrity impact. Structured affected-product data is incomplete, but the title and description name NodeBB v4.0.4 and before.

Likely exposure

Exposure likely applies to organizations running NodeBB v4.0.4 or earlier, especially internet-facing forums. The CVE record’s structured affected fields are listed as n/a, so asset validation should rely on local inventory and vendor project records.

Exploitation context

The provided sources do not state active exploitation, and the CVE is not marked in KEV. The issue is remotely reachable and requires user interaction, so risk is meaningful but not supported as currently exploited by the supplied evidence.

Researcher notes

Primary uncertainty is affected-version precision and remediation status. The CVE text identifies NodeBB v4.0.4 and before, while structured affected fields are n/a. Avoid assuming a fixed version unless confirmed by NodeBB or another cited source.

Mitigation direction

  • Identify all NodeBB deployments and record exact versions.
  • Check NodeBB vendor guidance for a fixed release or official workaround.
  • Prioritize upgrading instances at v4.0.4 or earlier if vendor guidance confirms exposure.
  • Limit access to administrative blacklist IP functions where operationally feasible.
  • If the function is broken, remove malicious stored content through approved database recovery procedures.

Validation and detection

  • Confirm whether each forum is NodeBB and determine its deployed version.
  • Compare versions against the CVE description: v4.0.4 and before.
  • Review whether blacklist IP functionality is present and used.
  • Look for unexpected stored content affecting blacklist IP pages.
  • Document uncertainty where product metadata or vendor fix information is unavailable.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-79: User-session and phishing behavior lookup

Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-29512 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.1 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
2Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.1CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N2.82.7CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

6.1Medium
CVSS 3.1 vector shape for CVE-2025-29512Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-79 · source CWE mapping

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.