Prototype Pollution in Node-Red
Description
Node-RED 1.2.7 and earlier contains a prototype pollution vulnerability in the admin API that can alter runtime behavior; patched in 1.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Node-RED 1.2.7 and earlier contains a prototype pollution vulnerability in the admin API that can alter runtime behavior; patched in 1.2.8.
Vulnerability
Overview
CVE-2021-21297 is a prototype pollution vulnerability in the Node-RED admin API affecting versions 1.2.7 and earlier. A specially crafted request can modify the prototype of the default JavaScript Object, potentially altering the default behavior of the Node-RED runtime [1][3].
Exploitation
The attack vector is the admin API, which requires network access to the editor URL. The vulnerability can be triggered by sending a badly formed request to the API. No authentication is mentioned as a prerequisite, but the workaround emphasizes restricting access to authorized users only [3].
Impact
Successful exploitation could lead to unintended changes in the runtime's default behavior, which may enable further attacks such as property injection or denial of service. The exact impact depends on how the runtime uses the polluted properties [1][3].
Mitigation
The vulnerability is patched in Node-RED version 1.2.8 [4]. As a workaround, administrators should ensure that only authorized users can access the editor URL [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@node-red/runtimenpm | < 1.2.8 | 1.2.8 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-xp9c-82x8-7f67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21297ghsaADVISORY
- github.com/node-red/node-red/releases/tag/1.2.8ghsax_refsource_MISCWEB
- github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67ghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/%40node-red/editor-apimitrex_refsource_MISC
- www.npmjs.com/package/%40node-red/runtimemitrex_refsource_MISC
- www.npmjs.com/package/@node-red/editor-apighsaWEB
- www.npmjs.com/package/@node-red/runtimeghsaWEB
News mentions
0No linked articles in our index yet.