References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
          *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions up to (excluding) 1.106.0

GitHub, Inc.: https://github.com/n8n-io/n8n/pull/17735 Types: Patch

GitHub, Inc.: https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm Types: Vendor Advisory

n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-59

https://github.com/n8n-io/n8n/pull/17735

https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm