GHSA-mqpr-49jj-32rc
n8n: Webhook Forgery on Github Webhook Trigger
상세
## Impact An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliveries, allowing any party to spoof GitHub webhook events.
## Patches The issue has been fixed in n8n versions 2.5.0 and 1.123.15. Users should upgrade to one of these versions or later to remediate the vulnerability.
## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Restrict network access to the n8n webhook endpoint to known GitHub webhook IP ranges.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.