Summary
Pre-auth RCE in FUXA via Logic Bypass
A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).
Details
The vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.
Involved Logic:
JavaScript:
const url = req.originalUrl || req.url || req.path;
if (url.includes('/socket.io')) return next();
By appending ?x=/socket.io to any administrative request, the middleware is "tricked" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely.
Proof of Concept
A specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.
In configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.
Impact
Access Level: Unauthenticated / Remote.
Privilege Level: Access to Node-RED administrative endpoints.
Remote code execution may be possible depending on the Node-RED configuration and installed nodes.
CVSS 3.1 Score: High severity.
Description: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.
Root Cause & Remediation
The root cause is the reliance on req.originalUrl for security-critical routing decisions.
The Fix:
The developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.
JavaScript
// Secure approach
const pathname = req.path;
if (pathname.startsWith('/socket.io/')) return next();
This issue affects only setups where Node-RED is enabled.
Impact
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-43945? CVE-2026-43945 is a high-severity code injection vulnerability in @frangoteam/fuxa (npm), affecting versions >= 1.2.11, < 1.3.1. It is fixed in 1.3.1. Untrusted input is evaluated as executable code within the application's runtime environment.
- Which versions of @frangoteam/fuxa are affected by CVE-2026-43945? @frangoteam/fuxa (npm) versions >= 1.2.11, < 1.3.1 is affected.
- Is there a fix for CVE-2026-43945? Yes. CVE-2026-43945 is fixed in 1.3.1. Upgrade to this version or later.
- Is CVE-2026-43945 exploitable, and should I be worried? Whether CVE-2026-43945 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-43945 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-43945? Upgrade
@frangoteam/fuxato 1.3.1 or later.