n8n Prototype Pollution via XML Webhook Parser Leading to RCE

Vulnerability Description

This vulnerability exploits a prototype pollution flaw in the xml2js library used by n8n's webhook body parser. Prototype pollution occurs when untrusted data is merged into or used to modify properties of JavaScript's Object.prototype, allowing attackers to inject malicious properties into all objects in the application runtime. In this case, a specially crafted XML payload sent to a webhook endpoint can pollute the prototype chain. The critical impact stems from n8n's Git node implementation, which processes SSH operations—when the prototype is polluted with specific properties, the Git node's SSH execution context becomes compromised, enabling arbitrary command execution on the n8n host with the privileges of the n8n process.

PoC Significance for Defenders

This PoC is significant because it demonstrates a two-stage attack chain: prototype pollution + SSH operation chaining. The vulnerability requires authenticated access with workflow creation/modification permissions, which reduces immediate exposure but remains critical for multi-tenant or shared n8n instances. The PoC proves that XML parsing can bypass standard prototype pollution mitigations if not explicitly handled. Defenders need to understand that this is not a remote unauthenticated RCE—auth is required, but compromised admin accounts or insider threats represent realistic attack scenarios.

Detection Guidance

Log Indicators:

• Monitor webhook POST requests with XML Content-Type containing suspicious prototype-related properties (__proto__, constructor, prototype)
• Track workflow creation/modification events by low-privilege users
• Alert on Git node SSH operations that fail or execute with unexpected arguments
• Search application logs for patterns like xml2js parsing errors followed by prototype access anomalies

Network Signatures:

• IDS/IPS rules should flag XML bodies containing __proto__ or constructor keywords in webhook endpoints
• Monitor for Git operations over SSH spawning child processes outside normal workflow execution patterns

SIEM Queries:

• Correlate workflow modifications with subsequent unauthorized SSH operations
• Track failed XML parsing events that precede successful Git node executions

Mitigation Steps

1. Immediate Patching: Upgrade n8n to version 1.123.32, 2.17.4, or 2.18.1 or later
2. Access Control: Restrict workflow creation and editing permissions to fully trusted users only; implement principle of least privilege for role-based access
3. Network Segmentation: Isolate n8n instances from sensitive infrastructure; limit SSH access from n8n to trusted Git repositories only
4. Input Validation: If patching is delayed, implement WAF rules to block XML payloads containing __proto__, constructor, or prototype keywords
5. Rate Limiting: Apply aggressive rate limiting on webhook endpoints to slow exploitation attempts
6. Audit: Review audit logs for suspicious workflow modifications or Git operations during the window before patching

Risk Assessment

Likelihood: Moderate to high in shared n8n environments; low in single-user or strictly access-controlled deployments. The authentication requirement raises the bar, but compromised user accounts or insider threats are realistic scenarios.

Threat Actor Interest: This vulnerability is attractive to sophisticated threat actors because: (1) it chains two different attack vectors, (2) n8n is used in automation-critical workflows, (3) RCE on automation platforms provides lateral movement opportunities. Expect this to be exploited primarily in targeted campaigns against organizations using n8n for critical integrations.

CVSS Context: CVE-2026-42231 likely carries a high CVSS score (7.5-9.0 range) due to RCE impact, though the authentication requirement may prevent a perfect 10.0 score.