Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.
A workaround is to ensure only authorised users are able to access the editor url.
Upgrade to version 1.2.8 or later
CPE | Name | Operator | Version |
---|---|---|---|
@node-red/runtime | lt | 1.2.8 |