Platform
nodejs
Component
fuxa-server
Opgelost in
1.2.9
1.2.11
CVE-2026-25938 describes a critical Remote Code Execution (RCE) vulnerability affecting fuxa-server. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability impacts versions 1.2.8 through 1.2.10 and has been resolved in version 1.2.11.
The impact of CVE-2026-25938 is severe. An attacker can bypass authentication checks by sending a specially crafted request to the /nodered/flows endpoint. Successful exploitation grants the attacker complete control over the affected fuxa-server, enabling them to execute arbitrary code, steal sensitive data, modify system configurations, or potentially pivot to other systems within the network. The vulnerability affects all deployments with the Node-RED plugin enabled, even those with security settings like runtime.settings.secureEnabled enabled, indicating a broad attack surface.
CVE-2026-25938 was publicly disclosed on 2026-02-10. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that a POC will emerge. It is not currently listed on CISA KEV.
Organizations utilizing fuxa-server with the Node-RED plugin enabled are at risk, particularly those with exposed instances or those lacking robust network segmentation. Shared hosting environments where multiple users share the same fuxa-server instance are also at increased risk, as a compromise of one user's environment could potentially lead to the compromise of others.
• nodejs / server:
ps aux | grep fuxa-server• nodejs / server:
journalctl -u fuxa-server -f | grep "/nodered/flows"• generic web:
curl -I <fuxa_server_ip>/nodered/flows• generic web:
Inspect access logs for requests to /nodered/flows originating from unexpected IP addresses.
disclosure
Exploit Status
EPSS
0.14% (34% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-25938 is to immediately upgrade fuxa-server to version 1.2.11 or later. If upgrading is not immediately feasible, consider disabling the Node-RED plugin entirely as a temporary workaround. While a WAF might offer some protection, it's unlikely to be effective against a crafted request designed to bypass authentication. Monitor access logs for unusual activity targeting the /nodered/flows endpoint. Review and harden Node-RED plugin configurations to minimize potential attack vectors.
Actualiseer FUXA naar versie 1.2.11 of hoger. Deze versie bevat de correctie voor de remote code execution kwetsbaarheid. De update kan worden uitgevoerd via het FUXA beheerpaneel of door de nieuwste versie te downloaden van de leverancierswebsite.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-25938 is a critical Remote Code Execution vulnerability in fuxa-server versions 1.2.8 through 1.2.10, allowing unauthenticated attackers to execute code.
You are affected if you are running fuxa-server version 1.2.8, 1.2.9, or 1.2.10 and have the Node-RED plugin enabled.
Upgrade fuxa-server to version 1.2.11 or later. As a temporary workaround, disable the Node-RED plugin.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.
Refer to the official fuxa-server security advisories on their website or GitHub repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.