AIKIDO-2026-11080
node-red is vulnerable to Argument Injection
65
Medium Risk
This Affects:
node-redTL;DR
The Node-RED runtime exposes a Projects API that shells out to the git CLI with user-supplied refnames, remote names, remote URLs, and -c config values without validating their shape. An authenticated editor user can supply a value that begins with - or contains control characters so that git interprets it as a flag such as --upload-pack, --exec, or -c core.fsmonitor=, turning a normal projects operation into attacker-controlled flag execution. The fix introduces refname, remote-name, remote-URL, and git-config-value validators plus a central guardArgs step that rejects flag-like arguments before each git invocation in clone, pull, push, fetch, checkout, branch, commit, and file lookups.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
node-red is vulnerable to Argument Injection in versions 0.18.0 - 4.1.10.
How to fix this
Upgrade the node-red library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant