Node_RED Server Vulnerability

CRITICAL (10.0) No Patch (166 days)
cwe-306authentication-bypassiotnode-red-servernodejsremote-execution

Threat Intelligence

⚠️ CRITICAL GAP - Exploits exist but no detection available
EPSS Score: 0.14% chance of exploitation (percentile: 35%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: GitHub PoC

How we test →

What is it?

Node_RED is an open-source IoT development platform that allows users to create custom applications for various devices. The vulnerability in question affects the authentication mechanism of Node_RED servers, allowing unauthenticated remote attackers to execute arbitrary commands with high privileges.

Am I affected?

You're affected if you use An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Packages

npm: lodash

Affected Products

NodeSource / Node_RED Server

How to fix

To fix this vulnerability, upgrade to Node_RED Server version 2.x or later. You can download the latest version from the official Node_RED website: https://nodered.org/download. Alternatively, apply immediate mitigations:

  • Restrict network access to your Node_RED Server instance (firewall it from the public internet)
  • Audit server logs for suspicious activity
  • Monitor for unauthorized command execution

References