n8n Prototype Pollution Vulnerability in XML Node Leading to Remote Code Execution

A vulnerability allowing global prototype pollution has been identified in n8n, an open-source workflow automation platform. This issue affects versions prior to 1.123.32, 2.17.4, and 2.18.1. The vulnerability arises when an authenticated user with permission to create or modify workflows exploits the XML Node, leading to remote code execution when combined with other nodes that take advantage of the prototype pollution.

Impact

Exploitation of this vulnerability allows for global prototype pollution, which can lead to remote code execution, particularly when the polluted prototype is exploited by other nodes in n8n.

Remediation

Users are advised to upgrade to n8n versions 1.123.32, 2.17.4, or 2.18.1. If an immediate upgrade is not possible, consider limiting workflow creation and editing permissions to trusted users only, and disable the XML node by adding 'n8n-nodes-base.xml' to the 'NODES_EXCLUDE' environment variable.