CVE-2022-36045 is a vulnerability in NodeBB, a popular open-source forum software built on Node.js that supports Redis, MongoDB, or PostgreSQL databases and uses web sockets for real-time interactions. The vulnerability stems from the use of an insecure pseudo-random number generator (PRNG) in the helper function `utils.generateUUID`, which relied on JavaScript's `Math.random()`. This function is used extensively across NodeBB versions dating back to at least v1.0.1. Because `Math.random()` is not cryptographically secure, an attacker can predict the output of the password reset token generation process. By repeatedly invoking the password reset functionality and analyzing the reset codes, an attacker can calculate valid reset tokens for arbitrary accounts without needing access to the victim's email or any other authentication factors. This enables account takeover without victim interaction. The vulnerability affects all NodeBB installations running versions prior to 1.19.8 and version 2.0.0. It has been patched in NodeBB versions 1.19.x (from 1.19.8 onward) and 2.x. No known workarounds exist, so immediate patching is required to mitigate the risk. There are no known exploits in the wild at this time, but the vulnerability's nature makes it a critical risk for any exposed NodeBB forum, especially those with sensitive user data or administrative accounts. The weakness is classified under CWE-330 (Use of Insufficiently Random Values) and CWE-338 (Use of Cryptographically Weak PRNG).

The primary impact of this vulnerability is unauthorized account takeover, which compromises confidentiality and integrity of user accounts on affected NodeBB forums. Attackers can reset passwords without victim involvement, potentially gaining access to sensitive personal information, private discussions, or administrative controls. This can lead to data breaches, defacement, or further lateral attacks within organizations using NodeBB for internal or external communications. For European organizations, this raises compliance risks under GDPR due to unauthorized access to personal data. The availability impact is limited but possible if attackers disrupt forum operations or lock out legitimate users. Because NodeBB is used by a range of communities and enterprises, the scope includes both public-facing and internal forums. The ease of exploitation is moderate; it requires scripting and repeated password reset requests but no privileged access or victim interaction. The vulnerability affects all installations running vulnerable versions, which may be widespread given NodeBB's popularity in Europe. The lack of known exploits suggests the threat is currently theoretical but patching is urgent to prevent future attacks.

Immediately upgrade NodeBB installations to version 1.19.8 or later, or to any patched 2.x version to fully remediate the vulnerability. If immediate upgrade is not feasible, apply the specific security patch or cherry-pick the changeset addressing the insecure PRNG usage from the NodeBB repository. Restrict access to the password reset functionality by implementing rate limiting and CAPTCHA challenges to reduce the feasibility of automated token prediction attacks. Monitor password reset logs for unusual activity patterns such as repeated reset requests from the same IP or targeting multiple accounts. Review and harden email delivery systems to ensure password reset emails are not intercepted or redirected. For organizations using NodeBB internally, consider additional multi-factor authentication (MFA) on user accounts to mitigate the impact of compromised passwords. Conduct a security audit of all NodeBB instances to identify and upgrade vulnerable versions promptly. Educate users about the importance of strong, unique passwords and vigilance for suspicious account activity.