CVE-2025-61917: n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

The use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure.

Only authenticated users are able to execute code through Task Runners.

This issue affected any deployment in which both of the following conditions were met:

• Task Runners were enabled using N8N_RUNNERS_ENABLED=true (default: false)
• Code Node was enabled (default: true)