Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/node-red@1.2.8
purl pkg:npm/node-red@1.2.8
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-h7v4-5z1t-aqbk Improperly Controlled Modification of Dynamically-Determined Object Attributes Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url. CVE-2021-21297
GHSA-xp9c-82x8-7f67
VCID-m5kp-t88v-fufu Path Traversal Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor. CVE-2021-21298
GHSA-m33v-338h-4v9f

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T16:20:50.412694+00:00 GitLab Importer Fixing VCID-h7v4-5z1t-aqbk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-red/CVE-2021-21297.yml 38.6.0
2026-06-04T16:20:50.371114+00:00 GitLab Importer Fixing VCID-m5kp-t88v-fufu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/node-red/CVE-2021-21298.yml 38.6.0