Package name: axios
Node-RED version:4.1.0
Node-red-admin "version": "4.1.1", depends on axios version 1.11.0, which contains vulnerabilities.
CVE reference link:
Package name: axios
Node-RED version:4.1.0
Node-red-admin "version": "4.1.1", depends on axios version 1.11.0, which contains vulnerabilities.
CVE reference link:
Thanks for reporting. I've moved this to the Core Dev category for better visibility from the core devs.
@GowriAradhya please report security issues via the project’s github security policy rather than on the community forum.
In this instance, the CVE relates to axios’ handling of data:
uris. It is the node-red-admin
package that uses axios, and at no time works with data
uris. So whilst the CVE exists, it is not exposed in any meaningful form.
We will, of course, be doing a maintenance release in the near future and this will get tidied up then - but there’s no immediate issue here.