n8n-workflows Directory Traversal Vulnerability in Workflow Download Function
Vulnerability
A directory traversal vulnerability has been identified in the n8n-workflows project, specifically in the download_workflow function within api_server.py. This vulnerability allows attackers to escape the restricted directory by submitting certain payloads, such as URL-encoded backslashes, leading to the unauthorized download of arbitrary files. The issue arises from insecure path concatenation, which can be exploited on Windows systems.
Impact
Exploitation of this vulnerability allows for arbitrary file download, potentially leading to the exposure of sensitive information or files on the server.
Reproduction
To reproduce this vulnerability, send a request to the '/api/workflows/{filename}/download' endpoint, replacing '{filename}' with a payload that includes '..\' (backslash) or its URL-encoded equivalent '..%5c'. This will escape the restricted directory and allow the download of files from the parent directory, such as 'api_server.py'.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.