VulnerableCode Package Details - pkg:npm/node-red@0.20.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-h7v4-5z1t-aqbk Aliases: CVE-2021-21297 GHSA-xp9c-82x8-7f67	Improperly Controlled Modification of Dynamically-Determined Object Attributes Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url.	1.2.8 Affected by 0 other vulnerabilities.
VCID-m5kp-t88v-fufu Aliases: CVE-2021-21298 GHSA-m33v-338h-4v9f	Path Traversal Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.	1.2.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-h7v4-5z1t-aqbk
Aliases:
CVE-2021-21297
GHSA-xp9c-82x8-7f67

Improperly Controlled Modification of Dynamically-Determined Object Attributes Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url.

1.2.8
Affected by 0 other vulnerabilities.

VCID-m5kp-t88v-fufu
Aliases:
CVE-2021-21298
GHSA-m33v-338h-4v9f

Path Traversal Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.

1.2.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gh2h-q3t6-ebeb	Cross-site Scripting A stored XSS vulnerability is present within the node-red npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.	CVE-2019-15607 GHSA-8w65-xjc5-9w79

Vulnerability

Summary

Aliases

VCID-gh2h-q3t6-ebeb

Cross-site Scripting A stored XSS vulnerability is present within the node-red npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.

CVE-2019-15607
GHSA-8w65-xjc5-9w79

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:10:52.404383+00:00	GHSA Importer	Fixing	VCID-gh2h-q3t6-ebeb	https://github.com/advisories/GHSA-8w65-xjc5-9w79	38.6.0
2026-06-04T20:45:39.820222+00:00	GitLab Importer	Affected by	VCID-h7v4-5z1t-aqbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-red/CVE-2021-21297.yml	38.6.0
2026-06-04T20:45:39.122702+00:00	GitLab Importer	Affected by	VCID-m5kp-t88v-fufu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-red/CVE-2021-21298.yml	38.6.0
2026-06-04T17:23:14.329985+00:00	GithubOSV Importer	Fixing	VCID-gh2h-q3t6-ebeb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-8w65-xjc5-9w79/GHSA-8w65-xjc5-9w79.json	38.6.0
2026-06-04T16:19:45.394731+00:00	GitLab Importer	Fixing	VCID-gh2h-q3t6-ebeb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-red/CVE-2019-15607.yml	38.6.0