Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Impact
A flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host.
Patches
The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
AnalysisAI
Prototype pollution in n8n's XML webhook parser (xml2js library) enables remote code execution when chained with Git node SSH operations. Authenticated users with workflow editing permissions can inject malicious XML payloads to pollute JavaScript object prototypes, then leverage the polluted prototype in Git node operations to execute arbitrary code on the n8n host server. GitHub advisory GHSA-q5f4-99jv-pgg5 confirms patches available in versions 1.123.32, 2.17.4, and 2.18.1. No CISA KEV listing or public POC identified at time of analysis, but the CVSS 10.0 score appears inconsistent with the authenticated (PR:L expected) nature described in the advisory.
Technical ContextAI
This vulnerability exploits a prototype pollution flaw in the xml2js library, a popular Node.js XML-to-JavaScript object parser used by n8n to process XML payloads in webhook requests. Prototype pollution (CWE-1321) occurs when an attacker can inject properties into JavaScript's Object.prototype, affecting all objects in the application. The vulnerability chains this pollution with n8n's Git node, which performs SSH operations. By polluting prototypes with SSH-related properties, an attacker can influence the Git node's command construction or configuration, ultimately achieving arbitrary command execution. The affected package is the n8n npm package across multiple version branches: all versions before 1.123.32, versions 2.17.0-2.17.3, and version 2.18.0. n8n is a workflow automation platform that executes user-defined workflows containing various integration nodes.
RemediationAI
Upgrade n8n to version 1.123.32 (for 1.x deployments), 2.17.4 (for 2.17.x deployments), or 2.18.1 (for 2.18.x deployments) as specified in the vendor advisory at https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5. For npm-based installations, run npm update n8n and restart the n8n service. Docker users should pull the latest patched image tags. If immediate patching is not feasible, implement the vendor-recommended temporary mitigation by restricting workflow creation and editing permissions exclusively to fully trusted administrators through n8n's role-based access control settings. Note this workaround has trade-offs: it reduces operational flexibility and does not protect against malicious or compromised trusted users. Review existing workflows for suspicious Git node configurations as a precautionary measure. Organizations using n8n Cloud should verify automatic patching status with the vendor. The vendor explicitly states the workaround does not fully remediate risk and should only be used short-term.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27102
GHSA-q5f4-99jv-pgg5