Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
vLLM, an AI framework for running large language models, has three image processing bugs that cause mismatches between what the model sees and what users expect. First, EXIF orientation data (metadata that tells how an image should be rotated) is ignored, so rotated images are processed in the wrong orientation. Second, PNG images with transparency information (the tRNS chunk, which marks certain pixels as see-through) aren't properly flattened to solid colors before processing, causing transparent pixels to become visible or distorted. Third, animated PNG and GIF files only process their first frame. These issues could alter how the model interprets image content.
Fix: A fix was merged in vLLM pull request #44974 (https://github.com/vllm-project/vllm/pull/44974). The source text does not provide specific details about what changes were made in that fix.
GitHub Advisory DatabasevLLM has a validation bypass where temperature values set to NaN (not-a-number) or positive Infinity pass all safety checks because comparison operators silently return False for these special float values in Python. These invalid values then reach GPU sampling kernels, causing crashes that take down the inference worker and affect all users running models on it.
n8n had a security flaw where three endpoints that change data in workflow test runs used the wrong permission scope (workflow:read instead of workflow:execute), allowing users with read-only access to start, cancel, and delete test runs they shouldn't be able to modify. This only affected enterprise versions with Advanced Permissions enabled.
Pi Agent, a coding assistant tool, had a security weakness in how it exports chat sessions to HTML files. Attackers could hide malicious links in Markdown (a text formatting system) by using special control characters that browsers would ignore, allowing XSS (cross-site scripting, where malicious code runs in a webpage) to execute in the exported HTML file if a user clicked the link. The attack requires multiple steps: an attacker must inject harmful content into a session, the user must export it as HTML, and the user must click the malicious link.
LiteLLM proxy had an authentication bypass vulnerability where a crafted Host header (the part of a web request that specifies which server is being contacted) could trick the auth layer into checking the wrong route, potentially allowing unauthorized access to protected management features. Most deployments are protected because upstream security layers like CDNs or reverse proxies validate the Host header, and LiteLLM Cloud customers are not affected.
An authenticated user in n8n (a workflow automation platform) could trick the SecurityScorecard node (a component that connects to SecurityScorecard's API) into sending an API token (a credential for accessing the service) to an attacker's server by configuring it to download reports from a malicious URL, bypassing security restrictions meant to limit where credentials can be sent. This allows the attacker to steal the API token and use it themselves.
When n8n's MCP Browser tool runs in HTTP transport mode (a way of sending data over the network), it accepts requests without authentication (verification of identity), meaning anyone on the network or visiting a website can control the user's browser, including navigating to sites, running code, and accessing cookies and stored data. This vulnerability only affects the HTTP transport mode; the default stdio transport (direct computer communication) is safe.
n8n (a workflow automation tool) has a security flaw in its Enterprise Edition where three endpoints for the Dynamic Credentials feature (a system that manages authentication tokens across workflows) fail to check if users should have access to specific workflows or credentials. An authenticated attacker could steal another user's credential tokens, take over their integrations, or disable their credentials entirely, affecting any workflows that rely on those credentials.
A vulnerability in n8n (a workflow automation tool) allowed member-level users with editor access to shared workflows to access credentials (stored login information) they shouldn't have permission to use, because permission checks weren't fully enforced on certain API endpoints. This only affected instances where workflow sharing was enabled and workflows had been shared with member-level editors.
A vulnerability in n8n's Compression node allows unauthenticated attackers to crash the entire application by sending specially crafted compressed files to public webhooks. The node decompresses archives without limiting memory usage, causing the process to run out of memory and stop working for all users on that server.
n8n, a workflow automation tool, had a security flaw where the Public API (a way for external programs to interact with n8n) incorrectly allowed users with read-only permissions to retry workflow executions. This bypassed the intended access control that separates read access (viewing only) from execute access (running workflows), affecting shared workflows across users or projects.
An authenticated user in n8n (a workflow automation platform) could bypass the AST validator (a security check that analyzes code structure) in the Python Code node and access restricted modules, potentially exposing environment variables (configuration data stored by the system) on self-hosted instances. This vulnerability only affects instances with the Python Task Runner enabled.
n8n (a workflow automation tool) has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Chat Trigger feature. An authenticated user with edit access could inject harmful JavaScript code that executes with the privileges of anyone who visits the chat URL, potentially compromising their session.
n8n, a workflow automation tool, has a reflected XSS vulnerability (a type of attack where malicious code is injected into a webpage and executed in a user's browser) in its Facebook, WhatsApp, and Microsoft Teams trigger endpoints. When a logged-in user visits a specially crafted URL, an unsanitized query parameter gets reflected back in the response, allowing an attacker to run arbitrary code in the user's browser within n8n's origin.
A vulnerability in n8n (a workflow automation tool) allows authenticated users to perform prototype pollution (a type of attack that modifies the base object all objects inherit from) through the Microsoft SQL node by providing a specially crafted table parameter. This attack can completely break the n8n instance by causing validation failures across the entire application until the server is restarted.
Crawl4AI's Docker API server had two security flaws that let attackers steal secrets. First, attackers could change where the server sent LLM (large language model) requests by controlling a `base_url` parameter, causing the server to send its API keys to an attacker's server. Second, attackers could read any environment variable (including passwords and secret keys) from the server by using the `env:` syntax in configuration, then combine this with the first flaw to steal those secrets. Since the Docker API required no authentication by default, anyone could exploit these flaws.
Crawl4AI's Docker API had a security flaw in its SSRF protection (a filter meant to block requests to internal servers). An attacker could bypass this filter by encoding internal IP addresses using IPv6 transition forms like NAT64, 6to4, or IPv4-mapped addresses, potentially accessing internal services and cloud metadata endpoints without needing credentials.
Crawl4AI, a Docker API server for web crawling, had seven critical security vulnerabilities including arbitrary file writes, SSRF (server-side request forgery, where attackers trick the server into making requests to internal networks), authentication bypass on monitoring endpoints, stored XSS (cross-site scripting, where malicious code executes in users' browsers), arbitrary JavaScript execution, a hardcoded JWT secret key, and SSRF via direct crawl endpoints. The vulnerabilities ranged from CVSS scores of 6.1 to 9.8, with fixes applied through input validation, blocklists for dangerous IP ranges, authentication requirements, HTML escaping, and environment variable controls.
stable-diffusion.cpp, a C/C++ library for running AI image generation models, has a heap buffer overflow vulnerability (a memory corruption bug where data writes beyond allocated memory) in how it parses PyTorch checkpoint files (.ckpt files). A malicious checkpoint file could crash the application or potentially execute harmful code if loaded by an application using vulnerable versions before master-584-0a7ae07.
stable-diffusion.cpp is a C/C++ library for running image generation models, but versions before master-584-0a7ae07 have an out-of-bounds reads error (a bug where the program accesses memory beyond its allocated space) when parsing .ckpt checkpoint files (model weight files saved in a specific format). A specially crafted or incomplete .ckpt file could crash the program or cause security issues if loaded from an untrusted source like a public model-sharing website.
Fix: Add a `math.isfinite(self.temperature)` check in the `_verify_args()` function to reject non-finite float values with a 400 error. A fix was merged in https://github.com/vllm-project/vllm/pull/45116
GitHub Advisory DatabaseFix: Upgrade to n8n version 1.123.55, 2.25.7, or 2.26.2 or later. As temporary workarounds if upgrading immediately is not possible: restrict project membership to fully trusted users only, or avoid granting viewer access to projects containing sensitive workflows (though these do not fully remediate the risk).
GitHub Advisory DatabaseFix: Upgrade @earendil-works/pi-coding-agent to version 0.78.1 or later. Version 0.78.1 fixes the issue by sanitizing (cleaning) Markdown links and image URLs using an allow-list (a list of approved safe formats) after removing C0 control characters. Users of the old @mariozechner/pi-coding-agent package should migrate to the new @earendil-works/pi-coding-agent package and upgrade to version 0.78.1 or later. Regenerate any shared HTML exports after upgrading if the original sessions contained untrusted content.
GitHub Advisory DatabaseFix: Fixed in version 1.84.0. Upgrade to 1.84.0 or later with no configuration change required. If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the Host header before forwarding, such as a CDN/WAF (web application firewall), a reverse proxy with explicit server_name allowlists, or a cloud load balancer with host-based routing rules, or restrict network access to the proxy listener.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily: limit workflow creation and editing permissions to fully trusted users only, or disable the SecurityScorecard node by adding `n8n-nodes-base.securityScorecard` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. As temporary workarounds while waiting to upgrade: avoid running MCP Browser with HTTP transport and use the default stdio transport instead, or if HTTP transport is necessary, restrict network access to the listening port to trusted clients only using host-based firewall rules. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n instance access to fully trusted users only, or disable the Dynamic Credentials feature by unsetting `N8N_ENV_FEAT_DYNAMIC_CREDENTIALS`. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict workflow sharing to fully trusted users only and audit shared workflows for unexpected credential references or recent modifications, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. The fix introduces configurable limits on decompressed output size (`N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES`) and ZIP entry count (`N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES`). If upgrading is not immediately possible, administrators can temporarily disable the Compression node by adding `n8n-nodes-base.compression` to the `NODES_EXCLUDE` environment variable, or restrict public webhook workflows that accept archive file uploads to authenticated endpoints only.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily restrict workflow sharing to fully trusted users only or restrict network access to the n8n Public API to trusted users only, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. As temporary workarounds, administrators can limit workflow creation and editing permissions to trusted users only, or disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can: limit workflow creation and editing permissions to fully trusted users only, or disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and activation permissions to fully trusted users only, or (2) disable the affected nodes by adding `n8n-nodes-base.facebookTrigger`, `n8n-nodes-base.whatsAppTrigger`, `n8n-nodes-base.facebookLeadAdsTrigger`, and `n8n-nodes-base.microsoftTeamsTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading immediately is not possible, administrators can temporarily: (1) restrict workflow creation and editing permissions to trusted users only, or (2) disable the Microsoft SQL node by adding `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: Upgrade to the patched version. The fix prevents request-supplied `base_url` values from being used (the server now only derives the endpoint from its configured provider name), and blocks `env:` resolution of environment variables with names containing SECRET, PASSWORD, PRIVATE, or prefixes like CRAWL4AI* and AWS_SECRET*, or specific names like SECRET_KEY, REDIS_PASSWORD, and TOKEN. As workarounds, enable authentication with `CRAWL4AI_API_TOKEN` or avoid storing sensitive secrets in the server environment alongside provider keys.
GitHub Advisory DatabaseFix: The blocklist is replaced by a single rule: reject any resolved IP where `not ip.is_global`, evaluated on the address AND every embedded IPv4 transition form (v4-mapped, NAT64 `64:ff9b::/96`, 6to4 `2002::/16`, v4-compat `::/96`). Error messages are now opaque and no longer echo the resolved IP. Alternatively, upgrade to the patched version, enable authentication via `CRAWL4AI_API_TOKEN`, or restrict the container's outbound network access through firewall rules.
GitHub Advisory DatabaseFix: Upgrade to the patched version (recommended). Additionally, set `CRAWL4AI_API_TOKEN` to enable authentication, set a strong `SECRET_KEY` with minimum 32 characters if using JWT, and restrict network access to the Docker API. The fixes include: `validate_output_path()` restricting writes to `CRAWL4AI_OUTPUT_DIR`, `validate_webhook_url()` blocklisting RFC 1918/loopback/cloud metadata IPs, adding `dependencies=[Depends(token_dep)]` to the monitor router, server-side `html.escape()` and client-side `escapeHtml()` for XSS protection, disabling `/execute_js` by default via `CRAWL4AI_EXECUTE_JS_ENABLED` env var, removing the default JWT secret and auto-generating an ephemeral key, and normalizing IPv6-mapped IPv4 addresses before blocklist checking on all crawl/md/llm endpoints.
GitHub Advisory DatabaseFix: Update to version master-584-0a7ae07 or later. As a temporary workaround if immediate updates are not possible, avoid loading .ckpt files from untrusted sources and use trusted model sources or safer formats such as .safetensors instead.
NVD/CVE DatabaseFix: Update to version master-584-0a7ae07 or later. If immediate updating is not possible, avoid loading .ckpt files from untrusted sources and use safer formats such as .safetensors instead.
NVD/CVE Database