Listen to this Post
The CVE-2024-XXXX vulnerability exploits a flaw in the n8n Read/Write File node’s path sanitization logic. This node uses a blocklist to prevent access to sensitive system directories (e.g., /etc/, /root/). However, its validation checks do not resolve symbolic links before applying these restrictions. An attacker can first use the Execute Command node to create a symlink pointing from a non-restricted location to a sensitive target file (e.g., ln -s /etc/passwd /tmp/bypass.txt). Subsequently, when the Read/Write File node’s operation is triggered on the symlink path (/tmp/bypass.txt), the application only validates the symlink’s path itself, which is not on the blocklist. The underlying operating system then resolves the symlink during the actual file read/write system call, granting access to the restricted target. This allows for arbitrary file read or write primitives, bypassing all application-level containment.
Platform: n8n
Version: <1.106.0
Vulnerability: Symlink Traversal
Severity: Critical
date: 2024-03-04
Prediction: Patch available
What Undercode Say:
`ln -s /etc/passwd /tmp/exploit`
`cat /tmp/exploit`
`node -e “fs.writeFileSync(‘/tmp/sym’, ‘data’);”`
`// Code checking path against blocklist: !blocklist.some(dir => filePath.startsWith(dir))`
How Exploit:
1. Attacker creates symlink to sensitive file.
2. Read/Write node processes symlink path.
3. OS resolves link, bypassing checks.
4. Sensitive file read/written.
Protection from this CVE
Update to v1.106.0.
Restrict Execute Command node.
Validate all input paths.
Impact:
Arbitrary File Read
Arbitrary File Write
System Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
