CRE-2025-0178: n8n SQLite Data Loss Detection

[MAVRICK-1]

CRE-2025-0178: n8n SQLite Data Loss Detection

closes #128
/claim #128

🎯 Overview

This PR introduces a comprehensive detection rule for n8n SQLite data loss vulnerability - addressing critical workflow disappearance affecting n8n deployments globally. The rule identifies SQLite pool misconfiguration leading to complete workflow data loss requiring immediate intervention.

CRE Playground Links

CRE-2025-0178 Playground: Test Rule

📊 n8n Issues Covered

#	Issue Type	Example Error Pattern
1	SQLite Pool Misconfiguration	DB_SQLITE_POOL_SIZE=0
2	Single Connection Mode Warning	SQLite pool size is set to 0, using single connection mode
3	Workflow Count Mismatch	Workflow count mismatch: expected 5, found 0
4	Complete Workflow Loss	All workflows appear to be missing
5	Database Query Failures	Database query returned empty result
6	Execution History Loss	Execution history table is empty
7	Critical Data Loss Detection	Critical data loss detected
8	Production Impact	48 hours of work has been lost

🧪 Testing & Validation

 cat test.log | preq -r n8n-sqlite-data-loss.yaml -d 

🎬 Demo Environment

Repo link: https://github.com/MAVRICK-1/n8n-reproduction-env

Features:

Screencast.from.2025-08-29.00-17-13.mp4

• Real n8n v1.101.2 container with vulnerable SQLite configuration
• Professional TechCorp production environment simulation
• Automated vulnerability log generation with realistic patterns
• Security scanning tools integrated (./scan-vulnerabilities.sh)

git clone https://github.com/MAVRICK-1/n8n-reproduction-env
cd n8n-reproduction-env
./start.sh
./scan-vulnerabilities.sh

References

• 48 hours of work reverted during 1.100 to 1.101 update via npm n8n-io/n8n#17271
• https://docs.n8n.io/hosting/configuration/environment-variables/#sqlite
• https://www.sqlite.org/wal.html
• https://docs.n8n.io/hosting/databases/sqlite/