"Pillar discovered that the sandbox's sanitizer could be bypassed via JavaScript expressions that contained properties with a template literal, and via arrow functions and specific stack frame objects that would return real global objects. These weaknesses in implementation allowed the security firm to escape the n8n sandbox and achieve command execution on the server. The attack, Pillar says, led to full server compromise, allowing access to all environment variables, stored credentials, API and cloud keys, OAuth tokens, and configuration files."
"According to Pillar, a successful attack could be mounted by creating or modifying a workflow with parameters containing crafted expressions. "The entire attack fits inside what looks like a data transformation. No special permissions required. No admin access - just a user who can edit workflows," Pillar notes. The company reported the bug to n8n on December 21 and a fix was rolled out two days later, blocking template literals."
A critical sandbox escape (CVE-2026-25049, CVSS 9.4) affected n8n's JavaScript expression sanitization. The sanitizer could be bypassed using properties with template literals, arrow functions, and specific stack frame objects that returned real global objects. Exploitation allowed sandbox escape and arbitrary command execution on the server, resulting in full compromise of environment variables, stored credentials, API and cloud keys, OAuth tokens, and configuration files. An attacker could access connected cloud accounts, hijack AI pipelines, redirect traffic, and reach internal services on n8n cloud instances. The flaw could be triggered by creating or editing workflows with crafted expressions by any user with edit rights. n8n issued fixes addressing the initial bug and its bypass in version 2.4.0.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]