A set of critical vulnerabilities has been disclosed in the widely used workflow automation platform n8n, threatening organizations that rely on the tool for task automation and integrations. Security researchers have identified multiple flaws that, when chained together, could allow attackers to achieve full remote code execution on vulnerable systems. All issues affect core features of the platform and carry critical severity ratings due to their potential impact on data confidentiality, system integrity, and availability.
HTTP Request Node Flaw Enables Prototype Pollution
The most severe vulnerability affects the HTTP Request node, where improper validation of pagination parameters can lead to prototype pollution. This flaw allows an attacker with low privileged access and workflow editing permissions to manipulate JavaScript object prototypes at a global level. By injecting malicious properties into application objects, an attacker can eventually execute arbitrary code on the host system. Given that n8n workflows frequently connect to external and internal APIs, this vulnerability greatly expands the attack surface in automation focused environments.
Git and XML Node Vulnerabilities Deepen the Threat
A second critical flaw resides in the Git node, where argument injection during push operations could let attackers read arbitrary files on the server. This includes sensitive configuration data, credentials, and environment variables, which in many cases can lead directly to full system compromise. A third vulnerability involves a patch bypass in the XML node. Despite a prior fix for a related issue, attackers can still exploit prototype pollution through alternate paths. When combined with the other flaws, this also enables remote code execution, effectively undoing earlier security updates and leaving supposedly protected systems exposed.
Source: Cyber Security News
