n8n Remote Code Execution Vulnerability in Git Node Component

A remote code execution vulnerability has been identified in the Git Node component of n8n, an open-source workflow automation platform. This issue affects both Cloud and Self-Hosted versions of n8n prior to 1.113.0. The vulnerability arises when a user clones a remote repository that contains a pre-commit hook. If the user then uses the Commit operation in the Git Node, it can unintentionally execute the hooked code. This behavior could be exploited by attackers to run arbitrary code within the n8n environment, potentially compromising the system and any associated credentials or workflows.

Impact

Exploitation of this vulnerability allows for remote code execution within the n8n environment, which could lead to a system compromise and exposure of connected credentials or workflows.

Reproduction

To reproduce this vulnerability, clone a remote Git repository that includes a malicious pre-commit hook into a workflow that uses the Git Node. When the Commit operation is performed, the pre-commit hook will be triggered, executing the embedded code.

Remediation

Users are advised to upgrade to n8n version 1.113.0 or later, and to set the environment variable 'N8N_GIT_NODE_DISABLE_BARE_REPOS' to 'true' in self-hosted deployments. For n8n Cloud users, bare repository support has been disabled automatically.