Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype…
GitHub_M·CWE-915·Published 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
### Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. ### Patches The vulnerability is patched in the 1.2.8 release. ### Workarounds A workaround is to ensure only authorised users are able to access the editor url. ### For more information If you have any questions or comments about this advisory: * Email us at [team@nodered.org](mailto:team@nodered.org) ### Acknowledgements Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.
### Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. ### Patches The vulnerability is patched in the 1.2.8 release. ### Workarounds A workaround is to ensure only authorised users are able to access the editor url. ### For more information If you have any questions or comments about this advisory: * Email us at [team@nodered.org](mailto:team@nodered.org) ### Acknowledgements Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.
Node-Red es una programación de low-code para aplicaciones basadas en eventos diseñadas usando nodejs. Node-RED versiones 1.2.7 y anteriores contienen, una vulnerabilidad de Contaminación de Prototipos en la API de administración. Una petición mal formada puede modificar el prototipo del Objeto JavaScript predeterminado con el potencial de afectar el comportamiento predeterminado del tiempo de ejecución de Node-RED. La vulnerabilidad está parcheada en versión 1.2.8. Una solución alternativa es asegurarse de que solo los usuarios autorizados puedan ser capaces de acceder a la URL de editor
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.0 | 8.0 | 2.9 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| 3.1 | Primary | cve.org | 7.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Primary | cve.org | 7.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Primary | NVD | 6.5 | 2.8 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | Secondary | GHSA | 7.7 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Secondary | NVD | 7.7 | 3.1 | 4.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |