n8n-core 1.36.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the n8n-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper enforcement of Content Security Policy in webhook response handling. An attacker can execute unauthorized scripts with same-origin privileges by crafting malicious workflows and tricking other users into interacting with them. This can result in session hijacking and account takeover. How to fix Cross-site Scripting (XSS)? Upgrade `n8n-core` to version 1.121.2, 1.122.1, 2.1.0 or higher.	<1.121.2>=1.122.0 <1.122.1>=2.0.0-rc.0 <2.1.0
C Time-of-check Time-of-use (TOCTOU) Race Condition n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via improper file access controls in the workflow creation or modification process. An attacker can modify sensitive host system files, including configuration data, and obtain user credentials by leveraging permissions to create or modify workflows. This can result in complete account takeover of any user on the instance. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `n8n-core` to version 1.122.12, 2.4.4 or higher.	<1.122.12>=2.0.0 <2.4.4
C Arbitrary File Upload n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Arbitrary File Upload via the `Git Node`. An authenticated user can achieve execution of untrusted code by uploading malicious files that are subsequently executed by the service. This can lead to full compromise of the affected instance. How to fix Arbitrary File Upload? Upgrade `n8n-core` to version 1.120.2, 1.121.1 or higher.	<1.120.2>=1.121.0 <1.121.1
H Symlink Attack n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Symlink Attack via the `Read/Write File` node. An attacker can access restricted files by creating symbolic links that bypass directory restrictions. How to fix Symlink Attack? Upgrade `n8n-core` to version 1.106.0 or higher.	<1.106.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

n8n-core is a Core functionality of n8n

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper enforcement of Content Security Policy in webhook response handling. An attacker can execute unauthorized scripts with same-origin privileges by crafting malicious workflows and tricking other users into interacting with them. This can result in session hijacking and account takeover.

How to fix Cross-site Scripting (XSS)?

Upgrade n8n-core to version 1.121.2, 1.122.1, 2.1.0 or higher.

<1.121.2>=1.122.0 <1.122.1>=2.0.0-rc.0 <2.1.0

Time-of-check Time-of-use (TOCTOU) Race Condition

n8n-core is a Core functionality of n8n

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via improper file access controls in the workflow creation or modification process. An attacker can modify sensitive host system files, including configuration data, and obtain user credentials by leveraging permissions to create or modify workflows. This can result in complete account takeover of any user on the instance.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade n8n-core to version 1.122.12, 2.4.4 or higher.

<1.122.12>=2.0.0 <2.4.4

Arbitrary File Upload

n8n-core is a Core functionality of n8n

Affected versions of this package are vulnerable to Arbitrary File Upload via the Git Node. An authenticated user can achieve execution of untrusted code by uploading malicious files that are subsequently executed by the service. This can lead to full compromise of the affected instance.

How to fix Arbitrary File Upload?

Upgrade n8n-core to version 1.120.2, 1.121.1 or higher.

<1.120.2>=1.121.0 <1.121.1

Symlink Attack

n8n-core is a Core functionality of n8n

Affected versions of this package are vulnerable to Symlink Attack via the Read/Write File node. An attacker can access restricted files by creating symbolic links that bypass directory restrictions.

How to fix Symlink Attack?

Upgrade n8n-core to version 1.106.0 or higher.

<1.106.0

n8n-core@1.36.3 vulnerabilities

Core functionality of n8n

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically