Plateforme
nodejs
Composant
fuxa-server
Corrigé dans
1.2.9
1.2.11
CVE-2026-25938 describes a critical Remote Code Execution (RCE) vulnerability affecting fuxa-server. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability impacts versions 1.2.8 through 1.2.10 and has been resolved in version 1.2.11.
The impact of CVE-2026-25938 is severe. An attacker can bypass authentication checks by sending a specially crafted request to the /nodered/flows endpoint. Successful exploitation grants the attacker complete control over the affected fuxa-server, enabling them to execute arbitrary code, steal sensitive data, modify system configurations, or potentially pivot to other systems within the network. The vulnerability affects all deployments with the Node-RED plugin enabled, even those with security settings like runtime.settings.secureEnabled enabled, indicating a broad attack surface.
CVE-2026-25938 was publicly disclosed on 2026-02-10. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that a POC will emerge. It is not currently listed on CISA KEV.
Organizations utilizing fuxa-server with the Node-RED plugin enabled are at risk, particularly those with exposed instances or those lacking robust network segmentation. Shared hosting environments where multiple users share the same fuxa-server instance are also at increased risk, as a compromise of one user's environment could potentially lead to the compromise of others.
• nodejs / server:
ps aux | grep fuxa-server• nodejs / server:
journalctl -u fuxa-server -f | grep "/nodered/flows"• generic web:
curl -I <fuxa_server_ip>/nodered/flows• generic web:
Inspect access logs for requests to /nodered/flows originating from unexpected IP addresses.
disclosure
Statut de l'Exploit
EPSS
0.14% (percentile 34%)
CISA SSVC
The primary mitigation for CVE-2026-25938 is to immediately upgrade fuxa-server to version 1.2.11 or later. If upgrading is not immediately feasible, consider disabling the Node-RED plugin entirely as a temporary workaround. While a WAF might offer some protection, it's unlikely to be effective against a crafted request designed to bypass authentication. Monitor access logs for unusual activity targeting the /nodered/flows endpoint. Review and harden Node-RED plugin configurations to minimize potential attack vectors.
Mettez à jour FUXA à la version 1.2.11 ou supérieure. Cette version contient la correction pour la vulnérabilité d'exécution à distance de code. La mise à jour peut être effectuée via le tableau de bord d'administration de FUXA ou en téléchargeant la dernière version depuis le site web du fournisseur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25938 is a critical Remote Code Execution vulnerability in fuxa-server versions 1.2.8 through 1.2.10, allowing unauthenticated attackers to execute code.
You are affected if you are running fuxa-server version 1.2.8, 1.2.9, or 1.2.10 and have the Node-RED plugin enabled.
Upgrade fuxa-server to version 1.2.11 or later. As a temporary workaround, disable the Node-RED plugin.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the official fuxa-server security advisories on their website or GitHub repository for the latest information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.