Directory Traversal

@node-red/runtime is vulnerable to directory traversal. The vulnerability exists as users with the projects.read permission can access any file via the Projects API...

CVE-2021-21297

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default...

@albcastillobeone/node-red-contrib-event-classifier (=1.0.0), @dolittle/node-red (>=2.0.0 <=2.2.8) +28 more potentially affected by CVE-2021-21298 via @node-red/runtime (>=0.20.0-beta.2 <=1.2.7)

@node-red/runtime NPM version =0.20.0-beta.2, =2.0.0, =2.0.0, =1.1.0, =6.1.0, =1.2.0, =0.1.1, =1.0.44, =2.7.2, =1.8.0, =0.20.0, =0.0.1, =1.0.0, =1.0.20 and more Source cves: CVE-2021-21298 Source advisory: OSV:GHSA-M33V-338H-4V9F...

@albcastillobeone/node-red-contrib-event-classifier (=1.0.0), @dolittle/node-red (>=2.0.0 <=2.2.8) +28 more potentially affected by CVE-2021-21297 via @node-red/runtime (>=0.20.0-beta.2 <=1.2.7)

@node-red/runtime NPM version =0.20.0-beta.2, =2.0.0, =2.0.0, =1.1.0, =6.1.0, =1.2.0, =0.1.1, =1.0.44, =2.7.2, =1.8.0, =0.20.0, =0.0.1, =1.0.0, =1.0.20 and more Source cves: CVE-2021-21297 Source advisory: OSV:GHSA-XP9C-82X8-7F67...

Prototype Pollution

Overview Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Workarounds A workaround is to...