formWebhook function used by n8n Form nodes to receive data doesn’t validate whether the Content-Type field of the POST request submitted by the user is set to multipart/form-data.Imagine a very common use case in which n8n has been used to build a chat interface that allows users to upload files to the system, for example, a customer support portal that accepts error screenshots or logs, an HR system for submitting CVs, or a knowledge base where employees can upload documents to index for later querying through an LLM-powered chatbot.In the normal flow, when the content type is multipart/form-data and the request body has a files: definition, n8n will parse the request with its parseFormData() function, which uses Node.js library Formidable to handle file uploads securely by storing the file in a temp directory with a random path before populating the req.body.files global variable with the filename and location.However, if a request has a different content type, for example application/json, n8n will parse the request body using another function called parseBody(), which behaves differently. This function extracts the request’s data section to populate the req.body.data global variable, but it also extracts any other section from the request to populate the corresponding req.body.[section name] variables with their content.Because formWebhook doesn’t validate whether a request with a files section is actually multipart/form-data, it will call the wrong parsing function on its body, resulting in the population of the req.body.files variable with user-controlled values like filenames and paths. It will then call a function called copyBinaryFile() to copy any files from the req.body.files variable, which are supposed to be temp random paths, to persistent storage locations to be consumed by other nodes/workflows, leading to potential path traversal attacks, in which legitimate files on the system can be overwritten or loaded elsewhere in a workflow.To exploit this vulnerability, an attacker can submit a request as application/json with a files section that specifies known file paths from the local system, including n8n configuration files that contain sensitive credentials and tokens. If these files are added into the context of an LLM-powered chatbot node, the attacker can then use the chat interface to ask questions about those files and leak their contents.
From arbitrary file read to admin privileges: The second part of the attack enabled by this vulnerability opens the “blast radius” considerably, as the ability to read any local file has serious implications due to the way n8n tracks authenticated sessions.Session cookies are strings stored in the user’s browser to maintain their authenticated status for a period of time. Attackers regularly steal session cookies from compromised systems to bypass authentication and log in as their victims on various websites.In n8n, session cookies are generated by combining a user’s unique ID with a SHA256 hash of the user’s email and password and then signing the result with a secret key unique to each n8n installation.The problem is that all the information needed to rebuild session cookies is located in local files. The unique secret key is stored in /home/node/.n8n/config and all user records are stored in the /home/node/.n8n/database.sqlite file. Leaking the contents of these two files allows attackers to recreate n8n-auth cookies for any users, including administrators.With administrator privileges attackers can create new workflows, and n8n offers a node called Execute Command that does exactly what the name implies, executes commands on the underlying operating system with the privileges of the n8n service.”Imagine a large enterprise with 10,000+ employees with one n8n server that anyone uses,” the researchers wrote in their report. “A compromised n8n instance doesn’t just mean losing one system, it means handing attackers the keys to everything. API credentials, OAuth tokens, database connections, cloud storage, all centralized in one place. N8n becomes a single point of failure and a goldmine for threat actors.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4113980/critical-rce-flaw-allows-full-takeover-of-n8n-ai-workflow-platform.html
