N8N Chat Trigger Component Arbitrary File Upload Vulnerability Allowing Code Execution

A vulnerability allowing arbitrary file uploads has been identified in the Chat Trigger component of N8N versions 1.95.3, 1.100.1, and 1.101.1. This vulnerability arises from inadequate file type restrictions, allowing users to upload HTML files that can execute JavaScript. When such a file is opened or previewed by another user, the embedded script runs in the context of the application, leading to stored cross-site scripting (XSS).

Impact

Exploitation of this vulnerability could result in stored cross-site scripting, where uploaded HTML files containing malicious scripts are executed in the context of the application when accessed by users.

Reproduction

To reproduce this vulnerability, upload a crafted HTML file containing JavaScript into the Chat Trigger component. Once uploaded, the file can be accessed by other users, triggering the execution of the JavaScript in their browsers.

Remediation

Users are advised to restrict allowed file types to exclude executable formats such as HTML, JavaScript, and SVG. Implement server-side validation to inspect file contents and reject files with embedded scripts. For image uploads, verify MIME types and magic numbers, not just file extensions. Additionally, serve user uploads from a separate domain or subdomain and set appropriate HTTP headers to block inline scripts.