CVE-2021-21298 LOW

CVE-2021-21298: Path traversal in Node-Red

Vendor Node-Red
Product node-red
Weakness CWE-22 · Path traversal
Published February 26, 2021
Last update August 3, 2024

CVSS base score

3.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.

Key dates

02Disclosure timeline

February 26, 2021 CVE published
August 3, 2024 Record updated