Nocobase ≤v2.0.57 File Upload chained with LFI leads to RCE
Nocobase versions up to 2.0.57 contain two chained vulnerabilities that allow an authenticated admin to achieve remote code execution (RCE). The first vulnerability permits arbitrary file write by manipulating the file upload storage root path without validation. The second vulnerability allows local file inclusion (LFI) via an unsanitized require() call on user-supplied paths. Together, these flaws enable an attacker with admin credentials to upload and execute malicious code on the server. The issue is fixed in version 2.1.5.
AI Analysis
Technical Summary
Two vulnerabilities in Nocobase ≤2.0.57 were identified and chained to achieve authenticated remote code execution. The first vulnerability allows an authenticated admin to redirect the file upload storage root to any absolute filesystem path by supplying an unsanitized documentRoot value to the storages:update API, enabling arbitrary file writes including to the application directory. The second vulnerability allows the same admin to trigger Node.js require() on any absolute filesystem path via the pm:enable plugin manager endpoint without validation, enabling local file inclusion. Chained together, these allow an attacker with admin credentials to upload a malicious JavaScript payload and execute it on the server. A working proof-of-concept exploit requires only a valid admin session token. The vulnerabilities are fixed in version 2.1.5.
Potential Impact
An attacker with valid admin credentials can write arbitrary files to any location writable by the Node.js process, including the application root, and then execute arbitrary code by triggering a local file inclusion via the pm:enable endpoint. This results in authenticated remote code execution on the server hosting Nocobase ≤2.0.57. The vulnerabilities expose the system to full compromise by authorized users.
Mitigation Recommendations
An official fix is available in Nocobase version 2.1.5. Users should upgrade to version 2.1.5 or later to remediate these vulnerabilities. Until upgraded, restrict admin access tightly and monitor for suspicious activity. No other vendor-recommended mitigations are provided.
Nocobase ≤v2.0.57 File Upload chained with LFI leads to RCE
Description
Nocobase versions up to 2.0.57 contain two chained vulnerabilities that allow an authenticated admin to achieve remote code execution (RCE). The first vulnerability permits arbitrary file write by manipulating the file upload storage root path without validation. The second vulnerability allows local file inclusion (LFI) via an unsanitized require() call on user-supplied paths. Together, these flaws enable an attacker with admin credentials to upload and execute malicious code on the server. The issue is fixed in version 2.1.5.
Reddit Discussion
Two vulnerabilities were identified and chained to achieve authenticated remote code execution in Nocobase ≤v2.0.57 (CVE ID Pending)
Fixed in version 2.1.5
The first vulnerability allows any authenticated admin to redirect the file upload storage root to an arbitrary path on disk including the application directory itself by supplying an unsanitized documentRoot value to the storages:update API. The second vulnerability allows the same admin to trigger Node.js require() on any absolute filesystem path via the pm:enable plugin manager endpoint, which accepts user-supplied paths with no validation (Local File Inclusion).
Chained together, these two flaws allow an attacker with admin credentials to write a malicious file and have it trigger on the system achieving remote code execution.
A working proof-of-concept exploit chain was developed and verified, requiring only a valid admin session token or admin credentials.
Link to the offical advisory: https://github.com/nocobase/nocobase/security/advisories/GHSA-ghvf-qf6h-g8x5
Link to my Github with the disclosure report:
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two vulnerabilities in Nocobase ≤2.0.57 were identified and chained to achieve authenticated remote code execution. The first vulnerability allows an authenticated admin to redirect the file upload storage root to any absolute filesystem path by supplying an unsanitized documentRoot value to the storages:update API, enabling arbitrary file writes including to the application directory. The second vulnerability allows the same admin to trigger Node.js require() on any absolute filesystem path via the pm:enable plugin manager endpoint without validation, enabling local file inclusion. Chained together, these allow an attacker with admin credentials to upload a malicious JavaScript payload and execute it on the server. A working proof-of-concept exploit requires only a valid admin session token. The vulnerabilities are fixed in version 2.1.5.
Potential Impact
An attacker with valid admin credentials can write arbitrary files to any location writable by the Node.js process, including the application root, and then execute arbitrary code by triggering a local file inclusion via the pm:enable endpoint. This results in authenticated remote code execution on the server hosting Nocobase ≤2.0.57. The vulnerabilities expose the system to full compromise by authorized users.
Mitigation Recommendations
An official fix is available in Nocobase version 2.1.5. Users should upgrade to version 2.1.5 or later to remediate these vulnerabilities. Until upgraded, restrict admin access tightly and monitor for suspicious activity. No other vendor-recommended mitigations are provided.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":38,"reasons":["external_link","newsworthy_keywords:rce","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a32d742f198dc38c1c77227
Added to database: 6/17/2026, 5:20:02 PM
Last enriched: 6/17/2026, 5:20:17 PM
Last updated: 6/17/2026, 6:23:08 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.