Summary
When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.
Affected package
flarum/nicknames — permissive display name driver that allows special characters; affected since initial release on the 1.x branch
Any third-party display name driver that permits special characters would be equally affected.
Variants
- Domain autolink — a nickname such as
nasty.com is automatically converted to a clickable hyperlink by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird).
- Markdown link syntax — a nickname such as
[CLICK](https://evil.com) is rendered as a clickable hyperlink by email clients that auto-render markdown in plain-text emails (e.g. Apple Mail, Thunderbird).
Steps to reproduce
Variant 1 (autolink — affects all email clients)
- Enable
flarum/nicknames, set nickname to nasty.com
- Trigger a notification email to another user (e.g. follow them, mention them)
- The nickname appears as a clickable link in the received email
Variant 2 (markdown — affects markdown-rendering email clients)
- Enable
flarum/nicknames, set nickname to [CLICK](https://evil.com)
- Trigger a notification email to another user
- In a markdown-rendering email client (e.g. Apple Mail), the nickname appears as a clickable link
Impact
Phishing / social engineering: victims may be misled into visiting attacker-controlled URLs via links appearing to originate from a trusted platform notification email. Variant 1 is exploitable against virtually all email clients without any special conditions.
- CVSS v3.1:
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N — 4.6 Medium
Root cause
The default username-based display name driver constrains values to [a-zA-Z0-9_-]+, making it immune. flarum/nicknames introduced permissive validation (min/max length and an optional admin-configured regex) that allows arbitrary characters including those meaningful in URL and markdown contexts. This has been the case since the first commit of the extension.
Proposed fix
- Add validation in
flarum/nicknames to reject or sanitize nicknames containing characters that email clients may interpret as URLs or markdown links
- Alternatively, sanitize the display name before insertion into notification email bodies so that legitimate nicknames like
Jane.Smith are preserved but rendered safely
References
- Bug bounty submission: SBB-L4ZVAFH8 (Intigriti)
imorland Remediation developer
DavideIadeluca Remediation verifier
Summary
When the
flarum/nicknamesextension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.Affected package
flarum/nicknames— permissive display name driver that allows special characters; affected since initial release on the1.xbranchAny third-party display name driver that permits special characters would be equally affected.
Variants
nasty.comis automatically converted to a clickable hyperlink by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird).[CLICK](https://evil.com)is rendered as a clickable hyperlink by email clients that auto-render markdown in plain-text emails (e.g. Apple Mail, Thunderbird).Steps to reproduce
Variant 1 (autolink — affects all email clients)
flarum/nicknames, set nickname tonasty.comVariant 2 (markdown — affects markdown-rendering email clients)
flarum/nicknames, set nickname to[CLICK](https://evil.com)Impact
Phishing / social engineering: victims may be misled into visiting attacker-controlled URLs via links appearing to originate from a trusted platform notification email. Variant 1 is exploitable against virtually all email clients without any special conditions.
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N— 4.6 MediumRoot cause
The default username-based display name driver constrains values to
[a-zA-Z0-9_-]+, making it immune.flarum/nicknamesintroduced permissive validation (min/max length and an optional admin-configured regex) that allows arbitrary characters including those meaningful in URL and markdown contexts. This has been the case since the first commit of the extension.Proposed fix
flarum/nicknamesto reject or sanitize nicknames containing characters that email clients may interpret as URLs or markdown linksJane.Smithare preserved but rendered safelyReferences