CVE-2021-21298: Path traversal in Node-Red
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57808%
CWE
Published
2/26/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@node-red/runtime | npm | < 1.2.8 | 1.2.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing path validation in key project management functions. The commit diff shows critical security checks were added to these functions using fspath.relative() with regex patterns to prevent '../' sequences. Specifically:
- getFile() lacked path validation before file access
- update() accepted user-controlled file paths without validation
- loadProject() allowed project names with path traversal sequences These functions directly handled user-supplied path parameters and were the entry points for the path traversal vulnerability, as evidenced by the security patches that added validation checks to these exact locations.