fix: Fix 44 critical issues in handlebars, lodash, @microsoft/api-extractor and 16 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerabilities in Handlebars AST injection, Lodash template code injection, Convict prototype pollution, and Undici HTTP request smuggling.

⚠️ Incomplete breaking changes analysis (13/19 analyzed)

⚠️ Breaking changes analysis not available for: handlebars, lodash, @microsoft/api-extractor, cheerio, axios, @langchain/community

✅ No breaking changes from these package upgrades affect this codebase.

Analysis summary:

1. handlebars (4.7.8 => 4.7.9): Security fixes only. The codebase uses handlebars for email templates and express views, but the security restrictions don't affect the current usage patterns.

2. lodash (4.17.23 => 4.18.1):

   • _.unset / _.omit changes: The codebase uses lodash/unset and lodash/omit extensively, but none of the usages attempt to delete constructor or prototype properties. All usages pass static field names or user-controlled field names that don't target these protected properties.

   • _.template changes: The codebase does not use lodash/template at all.

3. lodash-es (4.17.23 => 4.18.1): Not directly imported or used in the codebase.

4. node-forge (1.3.2 => 1.4.0): The package is listed in dependencies but the breaking changes (BigInteger.modInverse, RSA signature verification, Ed25519 verification, certificate chain verification) are not used directly in the codebase.

5. path-to-regexp (8.2.0 => 8.4.0): Used as a transitive dependency through express-openapi-validator. The backtracking restrictions are internal optimizations that don't affect API usage.

6. @xmldom/xmldom (0.8.10 => 0.8.12): Used as a transitive dependency. The codebase does not call createCDATASection directly.

7. defu (6.1.4 => 6.1.5): Used as a transitive dependency. The change to ignore inherited enumerable properties is a security fix that doesn't affect normal usage patterns.

8. yaml (2.3.4 => 2.8.3):

   • Used only as a transitive dependency through @langchain/classic, postcss-load-config, and docker-compose.

   • Collection.maxFlowStringSingleLineLength is not used anywhere in the codebase.

   • Node.js version requirement change (14.6 => 14.18) is satisfied as the codebase requires Node.js >= 20.19.

All breaking changes by upgrading lodash-es from version 4.17.23 to 4.18.1 (CHANGELOG)

Version	Description
4.18.0	_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0	_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.

All breaking changes by upgrading node-forge from version 1.3.2 to 1.4.0 (CHANGELOG)

Version	Description
1.4.0	BigInteger.modInverse() now exits early with zero when the target object value is <= 0, instead of entering an infinite loop
1.4.0	RSA PKCS#1 v1.5 signature verification now rejects signatures that lack the required minimum of 8 bytes of padding
1.4.0	RSA signature verification now rejects forged signatures with extra fields in the ASN.1 DigestInfo structure (requires sequence length of two)
1.4.0	Ed25519 signature verification now rejects non-canonical signatures where scalar S >= L (group order)
1.4.0	pki.verifyCertificateChain() now rejects certificate chains where intermediate certificates lack basicConstraints extension

All breaking changes by upgrading path-to-regexp from version 8.2.0 to 8.4.0 (CHANGELOG)

Version	Description
8.4.0	Restricts wildcard backtracking when using more than 1 in a path
8.4.0	Rejects large optional route combinations (restricts number of generated combinations to < 256, equivalent to 8 top-level optional groups)

All breaking changes by upgrading @xmldom/xmldom from version 0.8.10 to 0.8.12 (CHANGELOG)

Version	Description
0.8.12	createCDATASection now throws InvalidCharacterError when data contains "]]>", which will break code that previously passed strings containing "]]>" to this method

All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)

Version	Description
v6.1.5	Inherited enumerable properties are now ignored, which may affect code that previously relied on merging inherited properties from prototype chains

All breaking changes by upgrading yaml from version 2.3.4 to 2.8.3 (CHANGELOG)

Version	Description
2.5.0	Drop unused Collection.maxFlowStringSingleLineLength
2.7.0	Require Node.js 14.18 or later (was 14.6)

✅ 42 CVEs resolved by this upgrade, including 6 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33937	🚨 CRITICAL	[handlebars] A vulnerability in Handlebars.compile() allows attackers to inject arbitrary JavaScript through crafted AST objects, enabling Remote Code Execution when the NumberLiteral value field is emitted without sanitization.
CVE-2026-33941	HIGH	[handlebars] The Handlebars CLI precompiler fails to sanitize user-controlled template filenames and CLI options, allowing injection of arbitrary JavaScript into generated bundles that executes during loading. This enables remote code execution for attackers who can control precompiler inputs.
CVE-2026-33938	HIGH	[handlebars] A vulnerability allows attackers to execute arbitrary JavaScript by overwriting the @partial-block variable with a malicious Handlebars AST through helpers, enabling remote code execution when the partial block is subsequently invoked.
CVE-2026-33940	HIGH	[handlebars] A crafted object in the template context can bypass conditional guards and trigger compilation of a malicious Handlebars AST, leading to remote code execution on the server when dynamic partial lookups are used.
CVE-2026-33939	HIGH	[handlebars] Unregistered decorator syntax in templates causes unhandled TypeError that crashes the Node.js process, enabling Denial of Service attacks when compiling user-supplied templates without error handling.
GHSA-7rx3-28cr-v5wh	MEDIUM	[handlebars] A prototype method blocklist omits __lookupSetter__ while blocking its symmetric counterparts, allowing prototype pollution when the non-default allowProtoMethodsByDefault: true option is set. This creates an inconsistent security boundary enabling potential code execution or object manipulation through template injection.
CVE-2026-33916	MEDIUM	[handlebars] Prototype pollution vulnerability in resolvePartial() allows attackers to inject malicious strings into Object.prototype that are rendered as unescaped partial templates, enabling reflected or stored XSS attacks.
GHSA-442j-39wm-28r2	LOW	[handlebars] A Time-of-Check Time-of-Use (TOCTOU) vulnerability in the lookup() function allows prototype pollution and property access bypass when the compat option is enabled, potentially leading to information disclosure or code execution. The security check via lookupProperty() is discarded, and an unguarded property access is performed instead.
CVE-2026-4800	🚨 CRITICAL	[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2026-2950	MEDIUM	[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-1525	🚨 CRITICAL	[undici] Duplicate HTTP Content-Length headers with case-variant names are allowed, creating malformed requests that can cause denial of service or enable HTTP request smuggling attacks in inconsistent header interpretation scenarios.
CVE-2026-1526	HIGH	[undici] A malicious WebSocket server can send compressed frames that expand to extremely large sizes in memory without limits, causing denial-of-service through memory exhaustion and process crash. The vulnerability stems from unbounded decompression in the permessage-deflate extension without size validation.
CVE-2026-1528	HIGH	[undici] A server can send a WebSocket frame with an extremely large 64-bit length value, causing ByteParser integer overflow that results in a fatal TypeError and process termination (DoS).
CVE-2026-2229	HIGH	[undici] A malicious WebSocket server can crash the client process by sending an invalid server_max_window_bits parameter in the permessage-deflate extension, causing an uncaught RangeError when creating a zlib decompressor with an out-of-range value.
CVE-2026-2581	MEDIUM	[undici] An uncontrolled resource consumption vulnerability in the deduplication interceptor causes memory accumulation of response data for deduplicated requests, leading to potential Denial of Service through out-of-memory crashes when processing large responses from untrusted endpoints. The vulnerability is fixed by streaming response chunks instead of accumulating full bodies and preventing late deduplication after body streaming begins.
CVE-2026-1527	MEDIUM	[undici] HTTP request smuggling vulnerability allowing CRLF injection through the upgrade option, enabling arbitrary header injection and premature request termination to smuggle data to non-HTTP services.
AIKIDO-2026-10369	LOW	[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.
AIKIDO-2026-10385	LOW	[undici] A prototype pollution vulnerability allows attackers to inject special keys like __proto__, constructor, or prototype into internal objects, potentially modifying the prototype chain and influencing application behavior or enabling further attacks.
CVE-2026-33863	🚨 CRITICAL	[convict] Prototype pollution vulnerability in config loading and schema initialization allows attackers to pollute Object.prototype through __proto__ or constructor.prototype keys, potentially leading to authentication bypass or RCE depending on how polluted properties are used.
CVE-2026-33864	🚨 CRITICAL	[convict] Prototype pollution vulnerability in configuration handling allows attackers to pollute Object.prototype via crafted input, potentially enabling authentication bypass, denial of service, or remote code execution in downstream applications.
CVE-2025-62718	🚨 CRITICAL	[axios] Axios fails to properly normalize hostnames when checking NO_PROXY rules, allowing requests to loopback addresses (localhost., [::1]) to bypass proxy protections and reach internal services. This enables proxy bypass and SSRF attacks against protected loopback or internal endpoints.
CVE-2026-33036	HIGH	[fast-xml-parser] Numeric character references and standard XML entities bypass entity expansion limits, allowing attackers to cause XML entity expansion Denial of Service by forcing excessive memory allocation and CPU usage through crafted XML payloads.
CVE-2026-33349	MEDIUM	[fast-xml-parser] XML entity expansion vulnerability where setting maxEntityCount or maxEntitySize to 0 is bypassed due to JavaScript falsy checks, allowing attackers to cause denial of service through memory exhaustion. The vulnerability affects configurations explicitly set to restrict or disable entities.
CVE-2026-33891	HIGH	[node-forge] An infinite loop in the BigInteger.modInverse() function causes a Denial of Service when called with zero input, hanging the process and consuming 100% CPU due to an unreachable exit condition in the Extended Euclidean Algorithm.
CVE-2026-33894	HIGH	[node-forge] RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3) due to improper ASN structure validation and insufficient padding checks. This allows attackers to forge signatures via Bleichenbacher-style attacks, enabling authentication bypass.
CVE-2026-33895	HIGH	[node-forge] Ed25519 signature verification accepts forged non-canonical signatures with unreduced scalars, allowing signature malleability attacks that bypass authentication, authorization, and deduplication logic. This enables attackers to forge valid signatures that differ from canonical ones.
CVE-2026-33896	HIGH	[node-forge] A vulnerability in certificate chain verification fails to enforce basicConstraints requirements when intermediate certificates lack specific extensions, allowing leaf certificates to act as CAs and sign other certificates that are incorrectly validated as legitimate.
CVE-2026-4926	HIGH	[path-to-regexp] A bad regular expression is generated for multiple sequential optional groups, causing exponential regex growth that leads to denial of service. Attackers can exploit this by crafting malicious route patterns with many optional groups to consume excessive resources.
CVE-2026-4923	LOW	[path-to-regexp] Multiple wildcards combined with parameters can generate a regular expression vulnerable to ReDoS (Regular Expression Denial of Service), causing excessive backtracking and potential denial of service when the second wildcard is not at the path end.
CVE-2026-34601	HIGH	[@xmldom/xmldom] Allows injection of CDATA terminators (]]>) into CDATASection nodes, which are emitted verbatim during serialization, enabling XML structure injection and manipulation of downstream processing. This permits attackers to break out of CDATA sections and inject arbitrary XML markup.
CVE-2026-35209	HIGH	[defu] Prototype pollution vulnerability in the defu function allows attackers to override default object properties through crafted __proto__ payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.
CVE-2026-39409	MEDIUM	[hono] The ipRestriction() middleware fails to canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow/deny rules, allowing attackers to bypass IP-based access controls in dual-stack environments.
CVE-2026-39408	MEDIUM	[hono] Path traversal vulnerability in toSSG() allows attackers to write files outside the configured output directory during static site generation using specially crafted dynamic route parameters. This enables arbitrary file write attacks that could compromise system integrity.
CVE-2026-39407	MEDIUM	[hono] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//) in request paths, enabling unauthorized access to protected static files.
GHSA-26pp-8wgv-hjvm	MEDIUM	[hono] Cookie names are not validated in setCookie(), serialize(), or serializeSigned(), allowing invalid characters that can cause malformed Set-Cookie headers and runtime errors when processing untrusted cookie names.
CVE-2026-39410	MEDIUM	[hono] A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed, enabling attacker-controlled cookies to override legitimate ones through key normalization.
CVE-2026-33672	MEDIUM	[picomatch] A method injection vulnerability in POSIX bracket expressions allows specially crafted patterns to reference inherited methods, causing incorrect glob matching behavior that could bypass security-relevant filtering or validation logic. This integrity issue affects applications relying on glob patterns for access control.
CVE-2026-33671	LOW	[picomatch] Regular Expression Denial of Service (ReDoS) vulnerability in extglob pattern processing causes catastrophic backtracking on crafted patterns, allowing attackers to consume excessive CPU and block the event loop when untrusted glob patterns are compiled or matched.
CVE-2026-39406	MEDIUM	[@hono/node-server] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//), enabling access to protected static files. This vulnerability permits middleware bypass and unauthorized file access.
CVE-2026-33532	MEDIUM	[yaml] A stack overflow vulnerability in the YAML parser's node resolution phase allows attackers to trigger a RangeError via deeply nested YAML structures (~2-10 KB), potentially causing denial of service or process termination in applications that don't catch non-YAMLParseError exceptions.
CVE-2026-27795	MEDIUM	[@langchain/community] RecursiveUrlLoader in LangChain allows redirect-based Server-Side Request Forgery (SSRF) by validating only the initial URL while automatically following redirects to unvalidated internal endpoints. This bypass undermines SSRF protections and enables attackers to access sensitive internal or metadata services.
CVE-2026-33750	LOW	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.

🔗 Related Tasks

• https://linear.app/n8n/issue/SEC-531/minor-upgrade-for-undici-n8n
• https://linear.app/n8n/issue/SEC-566/minor-upgrade-for-lodash-n8n
• https://linear.app/n8n/issue/SEC-564/minor-upgrade-for-lodash-es-n8n
• https://linear.app/n8n/issue/SEC-537/minor-upgrade-for-fast-xml-parser-n8n
• https://linear.app/n8n/issue/SEC-550/small-upgrade-for-handlebars-n8n
• https://linear.app/n8n/issue/SEC-560/minor-upgrade-for-node-forge-n8n
• https://linear.app/n8n/issue/SEC-549/small-upgrade-for-convict-n8n
• https://linear.app/n8n/issue/SEC-552/minor-upgrade-for-path-to-regexp-n8n
• https://linear.app/n8n/issue/SEC-561/small-upgrade-for-xmldomxmldom-n8n
• https://linear.app/n8n/issue/SEC-571/small-upgrade-for-defu-n8n

[cubic-dev-ai]

1 issue found across 6 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:151">
P2: This override collapses Undici v6 and v7 into a single v7 resolution, which can break packages that explicitly depend on v6.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as External Client / Browser
    participant App as n8n Server (Express/Hono)
    participant Config as Convict (Config Manager)
    participant Tmpl as Handlebars (Template Engine)
    participant Utils as Lodash (Utility Engine)
    participant HTTP as Axios / Undici (HTTP Client)
    participant Ext as External API / Service

    Note over App,Config: System Initialization
    App->>Config: CHANGED: Load Schema & User Config
    Config->>Config: CHANGED: Prevent Prototype Pollution (__proto__)
    Config-->>App: Validated Config Object

    Note over Client,App: Incoming Request Flow
    Client->>App: GET/POST Request (with Cookies/Headers)
    
    App->>App: CHANGED: path-to-regexp (Route Matching)
    Note right of App: Fixes ReDoS in optional groups
    
    App->>App: CHANGED: Hono Middleware (IP Restriction)
    Note right of App: Canonicalizes IPv4-mapped IPv6 for safety

    alt Template Rendering (Email / Views)
        App->>Tmpl: CHANGED: compile(templateSource)
        Tmpl->>Tmpl: CHANGED: Sanitize AST / NumberLiterals
        Note right of Tmpl: Prevents RCE via AST Injection
        Tmpl-->>App: Rendered HTML
    end

    alt Internal Data Transformation
        App->>Utils: CHANGED: _.omit() / _.unset()
        Note right of Utils: Blocks 'constructor'/'prototype' keys
        Utils-->>App: Sanitized Object
    end

    Note over App,Ext: Outbound Request Flow
    App->>HTTP: CHANGED: request(url, options)
    
    opt Proxy Enabled
        HTTP->>HTTP: CHANGED: Axios NO_PROXY Normalization
        Note right of HTTP: Prevents SSRF/Proxy Bypass (localhost)
    end

    HTTP->>Ext: CHANGED: Send HTTP Request
    Note right of HTTP: Undici validates duplicate Content-Length

    Ext-->>HTTP: Return Data (XML / WebSocket Frames)
    
    alt XML Processing
        HTTP->>App: XML String
        App->>App: CHANGED: fast-xml-parser
        Note right of App: Enforces Entity Expansion Limits (DoS)
    end

    alt WebSocket Connection
        Ext->>HTTP: Compressed WS Frames
        HTTP->>HTTP: CHANGED: Unbiased size validation
        Note right of HTTP: Prevents Memory Exhaustion (DoS)
    end

    App-->>Client: Response (200 OK)

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: This override collapses Undici v6 and v7 into a single v7 resolution, which can break packages that explicitly depend on v6.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 151:

<comment>This override collapses Undici v6 and v7 into a single v7 resolution, which can break packages that explicitly depend on v6.</comment>

<file context>
@@ -143,11 +136,22 @@
+      "hono@<=4.12.12": "4.12.12",
+      "@hono/node-server@<=1.19.13": "1.19.13",
+      "yaml@<=2.8.3": "2.8.3",
+      "undici@<=7.24.1": "7.24.1",
+      "fast-xml-parser": "5.5.7",
+      "picomatch@<=4.0.4": "4.0.4",
</file context>

Suggested change

	"undici@<=7.24.1": "7.24.1",
	"undici@6": "6.23.0",
	"undici@7": "7.24.1",

[n8n-assistant]

Hey @aikido-autofix[bot],

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email nodes@n8n.io and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-7691". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.