node-red is vulnerable to prototype pollution. It does not make sure to prevent unauthorized user to access the editor url, allowing an attacker to send a badly formed request to modify the Node-RED runtime behaviour.
CPE | Name | Operator | Version |
---|---|---|---|
@node-red/editor-api | le | 1.2.7 | |
@node-red/runtime | le | 1.2.7 | |
@node-red/editor-api | le | 1.2.7 | |
@node-red/runtime | le | 1.2.7 |