CVE-2021-21297

Description

### Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. ### Patches The vulnerability is patched in the 1.2.8 release. ### Workarounds A workaround is to ensure only authorised users are able to access the editor url. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Acknowledgements Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.

How to fix CVE-2021-21297

To remediate CVE-2021-21297, upgrade the affected package to a fixed version below.

• —upgrade to 1.2.8 or later

Is CVE-2021-21297 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.8

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21297
• PATCHgithub.com/node-red/node-red
• WEBgithub.com/node-red/node-red/releases/tag/1.2.8
• WEBgithub.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
• WEB