- nodebb
- activitypub
- federated
- exploitarium
news
NodeBB 4.13.2 ActivityPub attributedTo Local UID Spoof
Signed remote Create(Note) with numeric attributedTo binds to local uid — private chat and public posts appear from spoofed administrator account.
Summary
NodeBB 4.13.2 verifies the top-level ActivityPub actor signature but accepts a numeric Note.attributedTo value as an internal local uid without binding it to the authenticated actor. A remote federated sender can forge private chat messages and public forum posts that appear to originate from uid 1 (commonly the first administrator). This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | NodeBB v4.13.2 with ActivityPub inbox enabled |
| Primitive | activitypub.mocks.message() stores object.attributedTo as message.uid without actor equality check |
| Impact | Remote actor creates stored chat content and public topics attributed to arbitrary local uids. |
Attack Chain
Signed remote actor → POST /inbox Create(Note) attributedTo: 1 → assertPrivate → messaging.newRoom(spoofUid) → message stored with fromuid=1
Mitigation
Reject numeric attributedTo values; require ActivityPub actor URIs; assert embedded author matches authenticated top-level actor on all Create paths.