Knolleary

**Name of the Vulnerable Software and Affected Versions** fastify-swagger-ui versions prior to 2.1.0 **Description** The default configuration of `@fastify/swagger-ui` without the `baseDir` option set leads to all files in the module's directory being exposed via HTTP routes served by the module. This issue is fixed in version 2.1.0. Setting the `baseDir` option can also work around this issue. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider setting the `baseDir` option to minimize exposure.

Name of the Vulnerable Software and Affected Versions: Node-RED versions 1.2.7 and earlier Description: The issue allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission can access any file via the Projects API. The vulnerability applies only to the Projects feature, which is not enabled by default in Node-RED. Recommendations: For Node-RED versions 1.2.7 and earlier, update to Node-RED 1.2.8 to resolve the issue. As a temporary workaround, do not give untrusted users read access to the Node-RED editor.