CRITICAL

GHSA-wrwr-h859-xh2r

n8n Has an XML Node Prototype Pollution Patch Bypass

상세

## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host.

## Patches The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

--- n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / n8n

최초 영향 버전: 0 수정 버전: 1.123.43

수정 npm install n8n@1.123.43

npm / n8n

최초 영향 버전: 2.21.0 수정 버전: 2.22.1

수정 npm install n8n@2.22.1

npm / n8n

최초 영향 버전: 2.0.0-rc.0 수정 버전: 2.20.7

수정 npm install n8n@2.20.7

참고

https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r [WEB]
https://github.com/advisories/GHSA-hqr4-h3xv-9m3r [ADVISORY]
https://github.com/n8n-io/n8n [PACKAGE]