@n8n/api-types is a fair-code workflow automation platform with native AI capabilities

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via a lack of MIME type validation on uploaded binary files, which can be controlled through a GET parameter. This allows an authenticated attacker with member-level privileges to upload a crafted HTML file containing malicious code. If another authenticated user visits the binary data endpoint with the MIME type specified as text/html, the embedded script will execute within the user's browser session, potentially enabling account takeover, for instance, by initiating an unauthorized email address change.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the tokenization_gpt_neox_japanese.py file, within the SubWordJapaneseTokenizer class. The regex is designed to match Japanese price expressions, but because many of its components are optional (?, *), it matches overly broad patterns and exhibits exponential backtracking behavior on crafted inputs which can lead to high CPU usage.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to the improper handling of TextArea properties with default content types. An attacker can execute arbitrary scripts that impact the confidentiality, integrity, and availability of the XWiki installation by inserting malicious scripts into these properties, which are then executed after an edit by a user with higher privileges.