n8n: Updates fix critical security vulnerabilities in automation platform
The update was announced to all admins via email; they should apply it promptly. Code injection is a risk.
(Image: Sashkin/Shutterstock.com)
As announced on Monday, the n8n team has now released three new versions for its popular low-code platform. These fix six security vulnerabilities, two of which are critical and allow remote code execution.
The vulnerabilities are:
- XML Node Prototype Pollution to RCE (GHSA-hqr4-h3xv-9m3r, critical)
- Prototype Pollution in XML Webhook Body Parser Leads to RCE (GHSA-q5f4-99jv-pgg5, critical)
- Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay (GHSA-r4v6-9fqc-w5jr, high)
- Python Task Runner Sandbox Escape (GHSA-44v6-jhgm-p3m4, high)
- XSS via MCP OAuth client (GHSA-537j-gqpc-p7fq, high)
- Unauthenticated Denial of Service via MCP Client Registration (GHSA-49m9-pgww-9vq6, high)
None of the vulnerabilities currently have a CVE ID, which is why we are using GitHub's own GHSA identifiers.
Videos by heise
Patches in three version trees
Fortunately, neither of the two RCE vulnerabilities is exploitable by unauthenticated users, but administrators of self-hosted n8n instances should apply the patches promptly.
The patched versions are:
- For version tree 1.x: 1.123.33
- For the "Stable" version tree: 2.17.5
- For the "Beta" version tree: 2.18.1
n8n is a popular tool for process automation, but can also be used for security operations. The project has been plagued by severe security vulnerabilities for months, which are actively exploited by attackers.
(cku)
