CVE-2021-21297
- Source
- https://cve.org/CVERecord?id=CVE-2021-21297
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21297.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21297
- Aliases
- Related
- Published
- 2021-02-26T17:15:12.210Z
- Modified
- 2026-04-10T04:29:35.496193Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.
- References
Affected packages
Git / github.com/node-red/node-red
Affected versions
0.*
0.10.0
0.10.1
0.10.10
0.10.2
0.10.3
0.10.4
0.10.6
0.10.8
0.10.9
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.20.0
0.20.0-beta.2
0.20.0-beta.3
0.20.0-beta.5
0.20.1
0.20.2
0.20.3
0.20.4
0.20.5
0.20.6
0.20.7
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.9.0
0.9.1
1.*
1.0.0
1.0.0-beta.3
1.0.0-beta.4
1.0.1
1.0.5
1.0.6
1.1.0
1.1.1
1.2.0
1.2.0-beta.1
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
v0.*
v0.2.0