Update: Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
Summary:
We issued an advisory last week for the "NI8MARE" vulnerability, tracked as CVE-2024-49780. The vulnerability is a maximum-severity (CVSS 10.0) flaw impacting n8n, a popular low-code workflow automation platform. Further analysis from Shadow Servers found the vulnerability still affects nearly 60,000 instances globally a week after it’s public disclosure. Operators are urged to immediately patch impacted systems. While the vulnerability was discovered and reported privately by Cyera researchers in November, the public disclosure and the release of technical details mean that attackers are likely currently developing or deploying exploits. There is no official confirmation that the vulnerability is being actively exploited in the wild, but it is expected to be abused by nation-state actors and ransomware operators.
The flaw allows a remote, unauthenticated attacker to bypass security controls and execute arbitrary commands on the host system. Because n8n is designed to integrate disparate services and automate business logic, it is frequently deployed in environments with direct access to internal APIs and sensitive databases, making this RCE path particularly dangerous for organizations utilizing the software for core operations.
Security Officer Comments:
The impact of this vulnerability is severe because automation tools like n8n effectively serve as the "keys to the kingdom." A compromised n8n instance provides an attacker with immediate access to the high-value credentials, API keys, and OAuth tokens stored within the platform to facilitate integrations with services like AWS, GitHub, Slack, and internal SQL databases.
NI8MARE is not just a localized server compromise but a launchpad for widespread lateral movement and supply chain attacks across an organization’s entire cloud and on-premise ecosystem. Since many n8n instances are self-hosted and internet-facing to receive webhooks, they are easily discoverable by automated scanners.
Suggested Corrections:
Defenders should prioritize immediate patching to version 1.63.4 or later, rotate all credentials stored within the platform, and inspect system logs for any unusual outbound traffic or unauthorized administrative sessions initiated prior to patching.
Link(s):
https://community.n8n.io/t/security...erability-in-n8n-versions-1-65-1-120-4/247305
We issued an advisory last week for the "NI8MARE" vulnerability, tracked as CVE-2024-49780. The vulnerability is a maximum-severity (CVSS 10.0) flaw impacting n8n, a popular low-code workflow automation platform. Further analysis from Shadow Servers found the vulnerability still affects nearly 60,000 instances globally a week after it’s public disclosure. Operators are urged to immediately patch impacted systems. While the vulnerability was discovered and reported privately by Cyera researchers in November, the public disclosure and the release of technical details mean that attackers are likely currently developing or deploying exploits. There is no official confirmation that the vulnerability is being actively exploited in the wild, but it is expected to be abused by nation-state actors and ransomware operators.
The flaw allows a remote, unauthenticated attacker to bypass security controls and execute arbitrary commands on the host system. Because n8n is designed to integrate disparate services and automate business logic, it is frequently deployed in environments with direct access to internal APIs and sensitive databases, making this RCE path particularly dangerous for organizations utilizing the software for core operations.
Security Officer Comments:
The impact of this vulnerability is severe because automation tools like n8n effectively serve as the "keys to the kingdom." A compromised n8n instance provides an attacker with immediate access to the high-value credentials, API keys, and OAuth tokens stored within the platform to facilitate integrations with services like AWS, GitHub, Slack, and internal SQL databases.
NI8MARE is not just a localized server compromise but a launchpad for widespread lateral movement and supply chain attacks across an organization’s entire cloud and on-premise ecosystem. Since many n8n instances are self-hosted and internet-facing to receive webhooks, they are easily discoverable by automated scanners.
Suggested Corrections:
Defenders should prioritize immediate patching to version 1.63.4 or later, rotate all credentials stored within the platform, and inspect system logs for any unusual outbound traffic or unauthorized administrative sessions initiated prior to patching.
Link(s):
https://community.n8n.io/t/security...erability-in-n8n-versions-1-65-1-120-4/247305