Path Traversal in node-red-contrib-huemagic

Description

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 3.0.0

References

• GHSA-frpw-jrwx-hcfv
• CVE-2021-25864
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Path Traversal in http-server-node - CVE-2021-23797
• Path traversal in url-parse - CVE-2021-27515
• PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart - CVE-2026-41180
• React Router has Path Traversal in File Session Storage - @remix-run/node - CVE-2025-61686

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

node-red-contrib-huemagic