Path Traversal in node-red-contrib-huemagic

Severity:: High

Description

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.

Recommendation

No fix is available yet. Followings are affected versions:

<= 3.0.0

References

GHSA-frpw-jrwx-hcfv
CVE-2021-25864
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

ReDoS Vulnerability in ua-parser-js version - CVE-2022-25927
node-cube vulnerable to prototype pollution - CVE-2025-57348
DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
lite-server vulnerable to Denial of Service - CVE-2022-25940

Tags:: npm; node-red-contrib-huemagic

Anything's wrong? Let us know Last updated on September 07, 2023