プラットフォーム
nodejs
コンポーネント
fuxa-server
修正版
1.2.9
1.2.11
CVE-2026-25938 describes a critical Remote Code Execution (RCE) vulnerability affecting fuxa-server. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability impacts versions 1.2.8 through 1.2.10 and has been resolved in version 1.2.11.
The impact of CVE-2026-25938 is severe. An attacker can bypass authentication checks by sending a specially crafted request to the /nodered/flows endpoint. Successful exploitation grants the attacker complete control over the affected fuxa-server, enabling them to execute arbitrary code, steal sensitive data, modify system configurations, or potentially pivot to other systems within the network. The vulnerability affects all deployments with the Node-RED plugin enabled, even those with security settings like runtime.settings.secureEnabled enabled, indicating a broad attack surface.
CVE-2026-25938 was publicly disclosed on 2026-02-10. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that a POC will emerge. It is not currently listed on CISA KEV.
Organizations utilizing fuxa-server with the Node-RED plugin enabled are at risk, particularly those with exposed instances or those lacking robust network segmentation. Shared hosting environments where multiple users share the same fuxa-server instance are also at increased risk, as a compromise of one user's environment could potentially lead to the compromise of others.
• nodejs / server:
ps aux | grep fuxa-server• nodejs / server:
journalctl -u fuxa-server -f | grep "/nodered/flows"• generic web:
curl -I <fuxa_server_ip>/nodered/flows• generic web:
Inspect access logs for requests to /nodered/flows originating from unexpected IP addresses.
disclosure
エクスプロイト状況
EPSS
0.14% (34% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-25938 is to immediately upgrade fuxa-server to version 1.2.11 or later. If upgrading is not immediately feasible, consider disabling the Node-RED plugin entirely as a temporary workaround. While a WAF might offer some protection, it's unlikely to be effective against a crafted request designed to bypass authentication. Monitor access logs for unusual activity targeting the /nodered/flows endpoint. Review and harden Node-RED plugin configurations to minimize potential attack vectors.
FUXAをバージョン1.2.11以降にアップデートしてください。このバージョンには、リモートコード実行の脆弱性に対する修正が含まれています。アップデートは、FUXA管理コンソールを通じて、またはベンダーのウェブサイトから最新バージョンをダウンロードすることで実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25938 is a critical Remote Code Execution vulnerability in fuxa-server versions 1.2.8 through 1.2.10, allowing unauthenticated attackers to execute code.
You are affected if you are running fuxa-server version 1.2.8, 1.2.9, or 1.2.10 and have the Node-RED plugin enabled.
Upgrade fuxa-server to version 1.2.11 or later. As a temporary workaround, disable the Node-RED plugin.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the official fuxa-server security advisories on their website or GitHub repository for the latest information.