n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Impact The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process for example, data from prior requests, tasks, secrets, or tokens,...

GHSA-49MX-FJ45-Q3P6 n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Impact The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process for example, data from prior requests, tasks, secrets, or tokens,...

CVE-2025-61917

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

EUVD-2025-206795

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917 n8n Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the sa...

CVE-2025-61917

CVE-2025-61917 affects the open‑source workflow tool n8n (versions 1.65.0 through before 1.114.3). The root cause is the use of Buffer.allocUnsafe() / Buffer.allocUnsafeSlow() inside the Task Runner, allowing untrusted code to allocate uninitialized memory that may contain residual data (prior re...

PT-2026-5931

Name of the Vulnerable Software and Affected Versions n8n versions 1.65.0 through 1.114.2 Description n8n is a workflow automation platform. The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. This could result in...

CVE-2026-0863 Sandbox escape in n8n Python task runner allows for arbitrary code execution on the underlying host.

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissio...

@n8n/task-runner (=1.58.0), n8n-node-dev (=1.120.0) potentially affected by CVE-2026-21877 via n8n-core (=1.121.0)

n8n-core NPM version =1.121.0 is affected by a known vulnerability. The following packages have a transitive dependency on n8n-core and may be impacted: - @n8n/task-runner =1.58.0 - n8n-node-dev =1.120.0 Source cves: CVE-2026-21877 Source advisory: SNYK:JS-N8NCORE-14894271...

@klardaten/n8n-nodes-datevconnect (>=1.0.1 <=1.0.2), @n8n/task-runner (>=1.37.0 <=1.57.1) +15 more potentially affected by CVE-2026-21877 via n8n-core (>=1.0.0 <=1.120.1)

n8n-core NPM version =1.0.0, =1.0.1, =1.37.0, =1.0.0, =0.1.0, =1.0.1, =0.3.3, =0.3.1, =1.1.0, =0.1.4, =0.4.10, =0.2.0, =0.2.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-21877 Source advisory: SNYK:JS-N8NCORE-14894271...

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Impact A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process...

Cross-site Request Forgery

Jenkins Nexus Task Runner Plugin is vulnerable to a Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protection on sensitive plugin endpoints, where crafted requests can trigger actions without user interaction, allowing attackers to force an authenticated Jenkins user to...

Authorization Bypass

Jenkins Nexus Task Runner Plugin is vulnerable to an Authorization Bypass. The vulnerability is due to a missing permission check, allowing attackers with only Overall/Read permission to force the plugin to connect to an attacker-controlled URL using attacker-supplied credentials, potentially...

CVE-2025-64142

A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials...

CVE-2025-64141

A cross-site request forgery CSRF vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials...

EUVD-2025-36657

Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery...

Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery

Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this endpoint does not require POST...

Cross-site Request Forgery (CSRF)

Overview org.jenkins-ci.plugins:nexus-task-runner is a This plugin executes Sonatype Nexus scheduled tasks after your build. For example, if you want to refresh your Nexus's repositories index after building your project, you can use execute a Nexus task whose type is "Publish index" using this...