NocoDB is a highly popular open-source software that allows users to build databases as spreadsheets. It is designed to provide an easy-to-use platform for non-coders, making it an attractive option for businesses and individuals who require database management solutions. However, like any software, it is essential to maintain security protocols and evaluate potential vulnerabilities that could arise during use.
In this blog post, we will discuss a security issue in NocoDB, identified as CVE-2025-27506, which concerns a Reflected Cross-Site Scripting (XSS) vulnerability in the API endpoint related to the password reset function. We will analyze the specifics of the vulnerability, share code snippets for better understanding, and delve into the exploit details. We will also provide users with an understanding of how to protect themselves from this issue by updating to the fixed version.
Vulnerability Details
The vulnerability in question affects the API endpoint /api/v1/db/auth/password/reset/:tokenId. This endpoint is subjected to Reflected Cross-Site Scripting (XSS), a security flaw that allows an attacker to inject malicious scripts into webpages viewed by other users.
The flaw in NocoDB occurs due to the implementation of the client-side template engine EJS (Embedded JavaScript), specifically the file resetPassword.ts. This file contains a template that uses the insecure function "<%-", which is rendered by the main function renderPasswordReset.
Here's a code snippet demonstrating the insecure use of "<%-"
const resetPasswordTemplate = `
<!DOCTYPE html>
<html>
<head>
<title>Password Reset</title>
</head>
<body>
<h1>Reset Your Password</h1>
<form>
<input type="hidden" name="tokenId" value="<%- tokenId %>">
...
</form>
</body>
</html>`;
By exploiting this vulnerability, an attacker can craft a URL containing malicious script in the tokenId parameter, which is then executed when a victim clicks on the link. This XSS attack can enable the attacker impersonate a legitimate user, perform unauthorized actions, or steal sensitive data.
For more information on this vulnerability, you can refer to the following resources
1. NIST NVD entry: CVE-2025-27506
2. GitHub issue: Reflected XSS in NocoDB
Fix and Recommendations
Fortunately, the NocoDB team has already addressed this vulnerability and released a fix in version .258.. It is recommended that users update their NocoDB installations to this version or later to be protected from this issue.
The updated code snippet from resetPassword.ts with a secure EJS implementation is shown below
const resetPasswordTemplate = `
<!DOCTYPE html>
<html>
<head>
<title>Password Reset</title>
</head>
<body>
<h1>Reset Your Password</h1>
<form>
<input type="hidden" name="tokenId" value="<%= tokenId %>">
...
</form>
</body>
</html>`;
To update your local NocoDB installation, follow these steps
1. If you installed NocoDB using Node Package Manager (npm), run npm update -g nocodb in your terminal or command prompt.
2. If you installed NocoDB using Docker, pull the latest image using the command docker pull nocodb/nocodb:latest.
By updating your NocoDB installation, you will no longer be exposed to the CVE-2025-27506 Reflected XSS vulnerability during password resets. It is essential to remain vigilant about security vulnerabilities and keep your software updated to ensure the safety of your data and users.
Timeline
Published on: 03/06/2025 19:15:27 UTC