GHSA-w96v-gf22-crwp
n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
Details
## Impact The Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring.
This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary.
## Patches This issue has been patched in version 2.2.0.
Users are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching.
## Workarounds Users unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include: - Adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys. - Avoiding short or prefix-based whitelist entries. - Enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-68949 [ADVISORY]
- https://github.com/n8n-io/n8n/issues/23399 [WEB]
- https://github.com/n8n-io/n8n/pull/23399 [WEB]
- https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5 [WEB]
- https://github.com/n8n-io/n8n [PACKAGE]