Simonkoeck

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 **Description** An authenticated user with permissions to create or modify workflows can achieve global prototype pollution via the XML Node. Prototype pollution occurs when an attacker manipulates the prototype of an object, potentially affecting all objects of that type. This can lead to remote code execution (RCE) when combined with other nodes that exploit the polluted prototype. **Recommendations** Update to version 1.123.32 or later. Update to version 2.17.4 or later. Update to version 2.18.1 or later. Limit workflow creation and editing permissions to fully trusted users only. Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES EXCLUDE` environment variable.

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 2.14.1 n8n versions prior to 2.13.3 n8n versions prior to 1.123.26 **Description** n8n is a workflow automation platform. A user authenticated with permissions to create or modify workflows could leverage the "Combine by SQL" mode within the Merge node to read local files on the n8n host and potentially achieve remote code execution. The AlaSQL sandbox lacked sufficient restrictions on certain SQL statements, enabling an attacker to access sensitive files on the server or compromise the instance. The vulnerable component is the Merge node and its use of AlaSQL. **Recommendations** Upgrade to n8n version 2.14.1 or later. Upgrade to n8n version 2.13.3 or later. Upgrade to n8n version 1.123.26 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES EXCLUDE` environment variable.

**Name of the Vulnerable Software and Affected Versions** H3 versions 2.0.1-beta.0 through 2.0.0-rc.8 **Description** H3 is a minimal H(TTP) framework. A Timing Side-Channel issue exists in the `requireBasicAuth` function because of the use of an unsafe string comparison (`!==`). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, bypassing password complexity protections. The code performs a string comparison between the provided password and the expected password. The `!==` operator is optimized to "fail fast," returning `false` as soon as a mismatch is found. By analyzing timing differences in responses to requests with slightly varying passwords, an attacker can determine the correct password one character at a time. This is effective in local networks or cloud environments where the attacker is co-located. The vulnerability is exploitable remotely. The vulnerable function is `requireBasicAuth`. **Recommendations** Update to version 2.0.1-rc.9 or later.

**Name of the Vulnerable Software and Affected Versions** Unhead versions prior to 2.1.11 **Description** Unhead is a document head and template manager. Before version 2.1.11, the `useHeadSafe()` function could be bypassed, allowing the injection of arbitrary HTML attributes, including event handlers, into server-side rendered (SSR) `<head>` tags. The `acceptDataAttrs` function, located in `safe.ts` (lines 16-20), permits any property key starting with 'data-' to be included in the final HTML. It only verifies the prefix, failing to check for spaces or other characters that disrupt HTML attribute parsing. This allows for the injection of malicious code through crafted `data-*` attributes. A proof-of-concept demonstrates the injection of an `onload` event handler into a `<link>` tag, leading to script execution when the stylesheet loads. This issue can be exploited in scenarios where a Nuxt application accepts SEO metadata from a content management system (CMS) or user profile, potentially affecting every page load. The vulnerable component is the `acceptDataAttrs` function, which is used to process attributes before they are interpolated into the HTML string by the `propsToString` function. **Recommendations** Update Unhead to version 2.1.11 or later.

**Name of the Vulnerable Software and Affected Versions** Unhead versions prior to 2.1.11 **Description** Unhead is a document head and template manager. The `link.href` check within the `makeTagSafe` function (located in `safe.ts`) utilizes `String.includes()`, which is case-sensitive. Browsers, however, treat URI schemes in a case-insensitive manner. Specifically, 'DATA:text/css,...' is interpreted the same as 'data:text/css,...' by the browser, but the case-sensitive check `'DATA:...'.includes('data:')` returns false. This allows an attacker to inject arbitrary CSS for UI manipulation or data exfiltration through CSS attribute selectors with background-image callbacks. The vulnerable code segment is located on lines 68-71 of `safe.ts`. An attacker can leverage this to inject CSS, for example, by using a `link` tag with an `href` attribute like `DATA:text/css,body{display:none}`. **Recommendations** Versions prior to 2.1.11 should be updated to version 2.1.11 or later. As a temporary workaround, consider modifying the `makeTagSafe` function in `safe.ts` to use a case-insensitive comparison for the `link.href` check, such as converting the value to lowercase using `.toLowerCase()` before applying the `includes()` method.

Name of the Vulnerable Software and Affected Versions Tolgee versions prior to 3.166.3 Description Tolgee is an open-source localization platform. Prior to version 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files do not disable external entity processing. An authenticated user with the ability to import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. Exploitation can involve reading files such as `/etc/passwd` and accessing environment secrets or cloud metadata credentials. This impacts multi-tenant deployments. Recommendations Update to version 3.166.3 or later.

**Name of the Vulnerable Software and Affected Versions** n8n versions prior to 1.123.10 n8n versions prior to 2.5.0 **Description** n8n, an open source workflow automation platform, contains a flaw in the Git node. This allows authenticated users with create or modify permissions for workflows to execute arbitrary system commands or read arbitrary files on the n8n host. The issue impacts systems where users have the ability to create or modify workflows. No information is available regarding the number of potentially affected devices worldwide or any real-world incidents of exploitation. The Git node is a component used for interacting with Git repositories. The `Git node` allows users to perform actions such as cloning, pulling, and pushing changes to Git repositories. **Recommendations** Upgrade to n8n version 1.123.10 or later. Upgrade to n8n version 2.5.0 or later. If upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only. If upgrading is not immediately possible, restrict or disable access to the Git node if it is not essential for operations. If upgrading is not immediately possible, deploy n8n in a hardened environment with restricted operating system privileges and network access.

**Name of the Vulnerable Software and Affected Versions** Hono versions prior to 4.11.7 **Description** The Cache Middleware component does not properly handle HTTP cache control directives such as `Cache-Control: private` or `Cache-Control: no-store`. This can lead to private or authenticated responses being cached and exposed to unauthorized users. The vulnerability exists in the cache decision logic of the Cache Middleware. The impact of this issue is Web Cache Deception and information disclosure, potentially exposing personally identifiable information or session-related data. The issue affects applications using the hono/cache middleware and relying on it to correctly honor HTTP cache control directives. **Recommendations** Update to version 4.11.7 or later.

**Name of the Vulnerable Software and Affected Versions** H3 versions prior to 1.15.5 **Description** H3 is a minimal H(TTP) framework designed for high performance and portability. A critical HTTP Request Smuggling issue exists due to a case-sensitive check for the 'Transfer-Encoding' header within the `readRawBody` function. The function specifically looks for "chunked", but the HTTP RFC specifies that this header should be case-insensitive. This allows attackers to desynchronize sockets by using mixed-case 'Transfer-Encoding' headers, potentially bypassing security controls and leading to request smuggling. The vulnerable code is located in `src/utils/body.ts`. The issue occurs because the code does not normalize the header value before checking, causing it to miss 'Transfer-Encoding' headers with mixed casing (e.g., 'ChuNked'). This can lead to the application responding immediately while the actual body remains on the socket, triggering a TE.TE desync. This is particularly impactful in containerized setups behind TCP load balancers, where attackers can smuggle requests past Web Application Firewalls (WAFs) or poison other users' connections. **Recommendations** Versions prior to 1.15.5 should be updated to version 1.15.5 or later.