n8n Buffer Allocation Vulnerability in Task Runner Allows Memory Disclosure

A vulnerability in n8n's task runner, present in versions 1.65.0 prior to 1.114.3, involves the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow(). This allowed untrusted code to allocate uninitialized memory, which could contain residual data from the same Node.js process, such as information from previous requests, tasks, secrets, or tokens. This flaw resulted in potential information disclosure. The vulnerability affected deployments where Task Runners were enabled and the Code Node was active.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as secrets or tokens, through in-process memory disclosure.

Reproduction

The vulnerability can be reproduced by executing untrusted code in a task runner with the Code Node enabled. The code can allocate buffers using the unsafe allocation methods, which will return uninitialized memory that may contain sensitive residual data from the Node.js process.

Remediation

The vulnerability has been patched in n8n version 1.114.3. Users are strongly advised to upgrade to this version or later. If an immediate upgrade is not possible, the Code Node can be disabled or Task Runners can be run in external mode to reduce the risk of memory disclosure.