Executive Summary

This vulnerability in the n8n workflow automation platform arises from the use of Node.js Buffer methods Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() within the task runner component. These methods allocate memory buffers without initializing them, which means the buffers can contain leftover data from previous operations within the same Node.js process. This residual data might include sensitive information such as prior requests, tasks, secrets, or tokens. Because untrusted code running in the task runner can allocate such uninitialized buffers, it can potentially access and disclose this sensitive information.

The issue affects n8n versions from 1.65.0 up to but not including 1.114.3 and has been fixed by replacing unsafe buffer allocation calls with safe ones that zero-initialize memory buffers. The fix involves wrapping the Buffer object with a proxy that redirects unsafe allocation calls to safe ones unless explicitly running in an insecure mode.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the disclosure of sensitive information within the same Node.js process. An attacker with low privileges and no user interaction required can exploit this to access residual data in uninitialized memory buffers. Such data may include secrets, tokens, prior requests, or other sensitive task-related information.

The impact is primarily on confidentiality, as the vulnerability allows unauthorized access to sensitive data. There is no impact on data integrity or availability. The attack vector is network-based, and the vulnerability affects deployments where the Task Runner and Code Node are enabled.

Mitigation involves upgrading to n8n version 1.114.3 or later. If upgrading is not immediately possible, workarounds include disabling the Code Node or running Task Runners in external mode to isolate untrusted code and prevent in-process memory disclosure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the use of unsafe Buffer allocation methods (Buffer.allocUnsafe() and Buffer.allocUnsafeSlow()) in the n8n Task Runner component, which can lead to uninitialized memory exposure. Detection would involve verifying whether your n8n deployment is running a vulnerable version (from 1.65.0 up to before 1.114.3) and whether Task Runners and Code Nodes are enabled.'}, {'type': 'paragraph', 'content': 'You can check the n8n version by running the following command on the system hosting n8n:'}, {'type': 'list_item', 'content': 'n8n --version'}, {'type': 'paragraph', 'content': 'To check if Task Runners are enabled, inspect the environment variable N8N_RUNNERS_ENABLED:'}, {'type': 'list_item', 'content': 'echo $N8N_RUNNERS_ENABLED'}, {'type': 'paragraph', 'content': 'To check if the Code Node is active (default is true), check the NODES_EXCLUDE environment variable for exclusion of "n8n-nodes-base.code":'}, {'type': 'list_item', 'content': 'echo $NODES_EXCLUDE'}, {'type': 'paragraph', 'content': 'If you want to detect attempts to exploit this vulnerability, monitoring logs for unusual task executions or suspicious access to the Task Runner might help, but no specific detection commands or signatures are provided in the available resources.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and recommended mitigation is to upgrade n8n to version 1.114.3 or later, where the vulnerability has been patched by replacing unsafe Buffer allocation methods with safe ones.'}, {'type': 'paragraph', 'content': 'If immediate upgrading is not possible, the following workarounds can reduce risk:'}, {'type': 'list_item', 'content': 'Disable the Code Node by adding "n8n-nodes-base.code" to the NODES_EXCLUDE environment variable.'}, {'type': 'list_item', 'content': 'Run Task Runners in external mode, which isolates untrusted task code in separate sidecar containers, preventing in-process memory disclosure.'}] [2, 1]

Useful 0 Not Useful 0