n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
n8n, a workflow automation platform, is vulnerable to a critical Remote Code Execution (RCE) flaw. Authenticated attackers can inject malicious code during workflow configuration, leading to complete system compromise, including data theft and unauthorized operations. Immediate patching or mitigation is crucial to prevent exploitation.
Step 1: Authentication: The attacker must first authenticate to the n8n instance, likely with valid credentials or by exploiting a separate vulnerability to gain initial access.
Step 2: Workflow Creation/Modification: The attacker crafts a malicious workflow or modifies an existing one. This involves injecting a specially crafted expression into a workflow node's configuration, such as a code node or an expression field.
Step 3: Payload Injection: The malicious expression contains code designed to execute arbitrary commands on the server. This could involve commands to read files, access databases, or establish reverse shells.
Step 4: Expression Evaluation: When the workflow is triggered or executed, the n8n platform evaluates the injected expression. Due to the vulnerability, the expression is executed without proper sanitization or isolation.
Step 5: Code Execution: The attacker's malicious code is executed with the privileges of the n8n process, allowing the attacker to perform actions on the server.
Step 6: System Compromise: The attacker leverages the code execution to achieve their objectives, such as data exfiltration, workflow modification, or complete system takeover.
The vulnerability lies within n8n's workflow expression evaluation system. The system fails to adequately sanitize or isolate user-supplied expressions before execution. Specifically, the flaw stems from the use of an insecure function or library to evaluate expressions, allowing for the execution of arbitrary code within the n8n process's context. This lack of proper input validation and sandboxing allows an attacker to inject malicious code (e.g., JavaScript, Python) that is then executed with the privileges of the n8n server. The root cause is likely a missing or inadequate implementation of a secure expression evaluation engine, leading to the ability to execute arbitrary code. The specific function or library responsible for the vulnerability is not explicitly stated in the CVE, but it is related to workflow expression evaluation.