This vulnerability allows arbitrary path traversal via the Projects API.
If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API.
The issue has been patched in Node-RED 1.2.8
The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED.
The primary workaround is not give untrusted users read access to the Node-RED editor.
If you have any questions or comments about this advisory:
* Email us at [email protected]
Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.
| Score | Percentile |
|---|---|
| 0.36% | 58.54% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-m33v-338h-4v9f ↗ |
| CVE | CVE-2021-21298 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @node-red/runtime | < 1.2.8 | 1.2.8 | — |