n8n Prototype Pollution Vulnerability in Webhook XML Parser Leading to Remote Code Execution

A prototype pollution vulnerability has been identified in n8n, an open-source workflow automation platform, prior to versions 1.123.32, 2.17.4, and 2.18.1. The issue arises from the xml2js library, which is used to parse XML request bodies in n8n's webhook handler. This vulnerability allows an authenticated user with permission to create or modify workflows to exploit a crafted XML payload, polluting the JavaScript object prototype. By chaining this pollution with the Git node's SSH operations, remote code execution can be achieved on the n8n host.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can be leveraged to execute arbitrary code on the host running n8n.

Remediation

Users should upgrade to n8n versions 1.123.32, 2.17.4, or 2.18.1. If an immediate upgrade is not possible, consider limiting workflow creation and editing permissions to trusted users as a temporary mitigation.