Listen to this Post
How the CVE Works:
The vulnerability in n8n arises due to improper MIME type validation when serving binary files. Authenticated users can upload files, and the server dynamically sets the MIME type based on a user-controlled GET parameter. By manipulating this parameter (e.g., ?mimeType=text/html), an attacker can force the browser to interpret a maliciously crafted HTML file as executable content. When another authenticated user accesses the file, embedded JavaScript runs in their session, enabling attacks like account takeover via forged requests (e.g., email modification).
DailyCVE Form:
Platform: n8n
Version: <1.32.2
Vulnerability: MIME confusion
Severity: Critical
Date: 2023-10-31
What Undercode Say:
Exploit:
1. Attacker uploads HTML with JS payload:
curl -X POST -u "user:pass" -F "[email protected]" https://n8n-instance.com/binary
2. Victim visits manipulated URL:
https://n8n-instance.com/binary?id=FILE_ID&mimeType=text/html
3. Browser executes JS, e.g., sending POST to change email:
fetch('/settings/email', {method: 'POST', body: '[email protected]'});
Mitigation:
1. Patch to v1.32.2+:
npm update n8n
2. Enforce MIME validation server-side:
const allowedTypes = ['image/png', 'application/pdf'];
if (!allowedTypes.includes(req.query.mimeType)) {
res.status(415).send();
}
3. CSP headers to block inline scripts:
add_header Content-Security-Policy "default-src 'self'; script-src 'none'";
Detection:
- Log audit for unexpected MIME types:
grep "mimeType=text/html" /var/log/n8n/access.log
- Scan for malicious uploads:
find /data/n8n -name ".html" -exec grep -l "eval(" {} \;
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
