CVE-2021-21297

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Node-RED versions 1.2.7 and earlier

Description The issue concerns a Prototype Pollution vulnerability in the admin API of Node-RED, a low-code programming tool for event-driven applications built using nodejs. A badly formed request can modify the prototype of the default JavaScript Object, potentially affecting the default behavior of the Node-RED runtime.

Recommendations For Node-RED versions 1.2.7 and earlier, update to version 1.2.8 to resolve the issue. As a temporary workaround, ensure only authorized users are able to access the editor URL.

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-915CWE-1321

Related Identifiers

BDU:2023-08025

CVE-2021-21297

GHSA-XP9C-82X8-7F67

Affected Products

Node-Red

CVE-2021-21297

Weakness Enumeration

Related Identifiers

Affected Products

References · 14