Miggo Logo

CVE-2021-21298: Path traversal in Node-Red

N/A

CVSS Score

Basic Information

EPSS Score
0.57808%
Published
2/26/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@node-red/runtimenpm< 1.2.81.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing path validation in key project management functions. The commit diff shows critical security checks were added to these functions using fspath.relative() with regex patterns to prevent '../' sequences. Specifically:

  1. getFile() lacked path validation before file access
  2. update() accepted user-controlled file paths without validation
  3. loadProject() allowed project names with path traversal sequences These functions directly handled user-supplied path parameters and were the entry points for the path traversal vulnerability, as evidenced by the security patches that added validation checks to these exact locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows *r*itr*ry p*t* tr*v*rs*l vi* t** Proj**ts *PI. I* t** Proj**ts ***tur* is *n**l**, * us*r wit* `proj**ts.r***` p*rmission is **l* to ****ss *ny *il* vi* t** Proj**ts *PI. ### P*t***s T** issu* **s ***n p*t****

Reasoning

T** vuln*r**ility st*ms *rom missin* p*t* v*li**tion in k*y proj**t m*n***m*nt *un*tions. T** *ommit *i** s*ows *riti**l s**urity ****ks w*r* ***** to t**s* *un*tions usin* *sp*t*.r*l*tiv*() wit* r***x p*tt*rns to pr*v*nt '../' s*qu*n**s. Sp**i*i**ll