Path traversal in Node-Red

Description

Impact

This vulnerability allows arbitrary path traversal via the Projects API.

If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API.

Patches

The issue has been patched in Node-RED 1.2.8

Workarounds

The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED.

The primary workaround is not give untrusted users read access to the Node-RED editor.

For more information

If you have any questions or comments about this advisory:
* Email us at [email protected]

Acknowledgements

Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Not specified
Published (advisory)
2021-02-26 16:31:23 UTC
Updated
2023-02-01 05:05:16 UTC
GitHub reviewed
2021-02-26 16:23:34 UTC
NVD published
2021-02-26

EPSS Score

Score Percentile
0.36% 58.54%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @node-red/runtime < 1.2.8 1.2.8

References

cvelogic Threat Intelligence