Jjjutla

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 **Description** An authenticated user with a valid API key scoped to `variable:list` can read variables from projects they are not a member of. This occurs by supplying an arbitrary `projectId` query parameter to the public API variables endpoint. The handler queries the variables repository directly, bypassing the authorization-aware service layer used by the internal enterprise controller and failing to enforce project membership checks. This issue specifically affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. **Recommendations** Update to version 1.123.32. Update to version 2.17.4. Update to version 2.18.1. Rotate any credentials or tokens immediately if they were stored as variables and potentially exposed.

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 1.123.12 n8n versions prior to 2.4.0 **Description** n8n is a workflow automation platform. Before versions 1.123.12 and 2.4.0, workflows processing uploaded files and transferring them to remote servers via the SSH node lacked validation of file metadata. This could allow files to be written to unintended locations on remote systems, potentially leading to remote code execution. An attacker needs knowledge of existing workflows and unauthenticated access to file upload endpoints to exploit this issue. **Recommendations** Update n8n to version 1.123.12 or later. Update n8n to version 2.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** n8n versions 0.150.0 through 2.2.1 **Description** n8n is a workflow automation platform. A flaw in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger node creates a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. Consequently, any HTTP client with knowledge of the webhook URL can send a POST request with a matching event type, causing the workflow to execute as if a legitimate Stripe event occurred. This impacts n8n users with active workflows utilizing the Stripe Trigger node. An attacker could potentially simulate payment or subscription events, influencing downstream workflow behavior. The risk is lessened by the webhook URL containing a high-entropy UUID, though authenticated n8n users with workflow access can view this ID. The affected component is the Stripe Trigger node. **Recommendations** Versions 0.150.0 through 2.2.1 should be updated to version 2.2.2 or later. As a temporary workaround, deactivate affected workflows. Restrict access to workflows containing Stripe Trigger nodes to trusted users only.

**Name of the Vulnerable Software and Affected Versions** AutoGPT versions prior to 0.6.16 **Description** AutoGPT is a platform for creating, deploying, and managing continuous artificial intelligence agents. The external API’s `get graph execution results` endpoint has an authorization bypass. While the API correctly validates user access to the `graph id` parameter, it fails to verify ownership of the `graph exec id` parameter. This allows authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. **Recommendations** Update AutoGPT to version 0.6.16 or later.

**Name of the Vulnerable Software and Affected Versions** BentoML versions 1.4.0 through 1.4.19 **Description** BentoML contains a Server-Side Request Forgery (SSRF) issue in the file upload processing system. This allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. The vulnerability exists in the serialization/deserialization handlers, specifically in `MultipartSerde.parse request()` and `JSONSerde.parse request()`. The `MultipartSerde` path lacks validation, while the `JSONSerde` path has weak validation, only checking the URL scheme. **API Endpoints:** Any BentoML endpoint with file-type input parameters. **Vulnerable Parameters or Variables:** `image` (in the proof of concept), user-controlled URLs in multipart form fields and JSON request bodies. **Function Names:** `MultipartSerde.parse request()`, `MultipartSerde.ensure file()`, `JSONSerde.parse request()`. **Recommendations** Update to BentoML version 1.4.19 or later. Implement comprehensive URL validation in both serialization paths. Add network restriction checks to prevent access to internal/private network ranges, localhost, and cloud metadata endpoints. Enhance the `is http url()` function to include allowlist validation instead of just scheme checking.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 5.31.0 **Description** An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files to fill disk space. The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the "/gradio api/run/predict" endpoint to trigger these file copies. The vulnerable code flow involves a JSON payload sent to this endpoint, where the `path` field within the `FileData` object can reference any file on the system. The `FileData. copy to dir()` method uses this path without proper validation, allowing the copying of any file the Gradio process can read. **Recommendations** For Gradio versions prior to 5.31.0, update to version 5.31.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/gradio api/run/predict" endpoint to minimize the risk of exploitation. Additionally, restrict the use of the `path` parameter in the flagging functionality JSON payload to prevent unauthorized file copies.