CVE-2021-21297
7.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| node-red | node-red | < 1.2.8 | affected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
- https://www.npmjs.com/package/%40node-red/runtime
- https://www.npmjs.com/package/%40node-red/editor-api
- https://github.com/node-red/node-red/releases/tag/1.2.8
References
- https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
- https://www.npmjs.com/package/%40node-red/runtime
- https://www.npmjs.com/package/%40node-red/editor-api
- https://github.com/node-red/node-red/releases/tag/1.2.8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.