Summary
Flarum post mentions can be used to read any post on the forum without access control
Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @"<username>"#p<id> syntax.
The following behavior never changes no matter if the actor should be able to read the mentioned post or not:
A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number.
The mentionsPosts relationship included in the POST /api/posts and PATCH /api/posts/<id> JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.
An attacker only needs the ability to create new posts on the forum to exploit the vulnerability. This works even if new posts require approval. If they have the ability to edit posts, the attack can be performed even more discreetly by using a single post to scan any size of database and hiding the attack post content afterward.
Workarounds
Disable the mentions extension.
For more information
For any questions or comments on this vulnerability please visit https://discuss.flarum.org/
For support questions create a discussion at https://discuss.flarum.org/t/support.
A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [email protected], and we will address it promptly.
Impact
The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events.
The discussion payload is not leaked but using the mention HTML payload it's possible to extract the discussion ID of all posts and combine all posts back together into their original discussions even if the discussion title remains unknown.
All Flarum versions prior to v1.6.3 are affected.
CVE-2023-22487 has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum have to upgrade as soon as possible to v1.6.3 using:
composer update --prefer-dist --no-dev -a -W
You can then confirm you run the latest version using:
composer show flarum/core
Frequently Asked Questions
- What is CVE-2023-22487? CVE-2023-22487 is a high-severity security vulnerability in flarum/mentions (composer), affecting versions < 1.6.3. It is fixed in 1.6.3.
- How severe is CVE-2023-22487? CVE-2023-22487 has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of flarum/mentions are affected by CVE-2023-22487? flarum/mentions (composer) versions < 1.6.3 is affected.
- Is there a fix for CVE-2023-22487? Yes. CVE-2023-22487 is fixed in 1.6.3. Upgrade to this version or later.
- Is CVE-2023-22487 exploitable, and should I be worried? Whether CVE-2023-22487 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-22487 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-22487? Upgrade
flarum/mentionsto 1.6.3 or later.