CRITICALCVE-2025-41656CVSS 10

CVE-2025-41656: RCE in Node-RED

Platform

nodejs

Component

node-red

Fixed in

3.1.7

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2025-41656 describes a critical remote code execution (RCE) vulnerability affecting Node-RED versions from 0 through 2024-08. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the affected system with elevated privileges. The root cause is the lack of default authentication configuration for the Node-RED server. A fix is available in version 2024.0.1.

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker can gain complete control over the affected Node-RED instance and potentially the entire system it runs on. This could lead to data breaches, system compromise, and further lateral movement within the network. Given the popularity of Node-RED for IoT and automation deployments, a successful exploitation could have widespread consequences. The lack of authentication means no user interaction is required for exploitation, making it easily exploitable. Attackers could leverage this to install malware, steal sensitive data, or disrupt operations.

Exploitation Context

This vulnerability is considered highly exploitable due to the lack of authentication. Public proof-of-concept (PoC) code is likely to emerge quickly. The vulnerability was publicly disclosed on 2025-07-01. It is advisable to monitor security advisories and threat intelligence feeds for any indications of active exploitation. The CVSS score of 10 indicates a critical severity and a high probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.25% (48% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentnode-red

VendorPilz

Affected rangeFixed in

0.1.0 – 3.1.63.1.7

Weakness Classification (CWE)

CWE-306

Timeline

Reserved2025-04-16
Published2025-07-01
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation is to upgrade to Node-RED version 2024.0.1 or later, which includes the authentication fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) or reverse proxy to restrict access to the Node-RED server and enforce authentication. Temporarily disabling the Node-RED service is another option to reduce the immediate risk. Ensure that any existing authentication mechanisms are properly configured and enforced. After upgrading, confirm the fix by attempting to access the Node-RED server without authentication and verifying that access is denied.

How to fix

Configure authentication for the Node-RED server. Consult the Node-RED documentation for instructions on how to enable and configure authentication. Ensure you use strong passwords and change default credentials.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-41656 — RCE in Node-RED?

CVE-2025-41656 is a critical remote code execution vulnerability in Node-RED versions 0–2024-08. It allows unauthenticated attackers to execute commands due to a missing default authentication configuration.

Am I affected by CVE-2025-41656 in Node-RED?

You are affected if you are running Node-RED versions 0 through 2024-08. Check your version and upgrade immediately if vulnerable.

How do I fix CVE-2025-41656 in Node-RED?

Upgrade to Node-RED version 2024.0.1 or later. As a temporary workaround, implement a WAF or disable the Node-RED service.

Is CVE-2025-41656 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of exploitation.

Where can I find the official Node-RED advisory for CVE-2025-41656?

Refer to the official Node-RED security advisory on their website or GitHub repository for the latest information and updates.