Snyk Security Database

n8n-nodes-base is a Base nodes of n8n

Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the Webhook Node's IP whitelist validation due to includes() method performing partial string matching instead of exact IP comparison. An attacker can gain unauthorized access to restricted endpoints by sending requests from an IP address that partially matches a whitelisted entry, thereby bypassing intended access controls.

##Workaround

This vulnerability can be mitigated by adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys, avoiding short or prefix-based whitelist entries, and enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).

MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library

Affected versions of this package are vulnerable to Directory Traversal via the PUT handler in the file upload API, which directly joins user-supplied input into a filesystem path without proper validation. An attacker can access and exfiltrate arbitrary files from the server, as well as cause files to be moved from their original locations, by supplying crafted JSON payloads that specify absolute or traversal-based file paths.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Missing XML Validation. An attacker can access sensitive information or cause a denial of service by submitting specially crafted XML input.