n8n: Microsoft SQL Node Prototype Pollution

Vulnerability

The Microsoft SQL node in n8n versions prior to 2.24.0 is vulnerable to global prototype pollution [1][2]. An authenticated user with permission to create or modify workflows can supply a crafted value as the table parameter, which pollutes Object.prototype process-wide. This affects the entire n8n server process for its lifetime. The vulnerability exists in versions before 2.24.0 [1][2].

Exploitation

To exploit the vulnerability, an attacker must have valid authentication and the ability to create or modify workflows in n8n [1][2]. The attacker provides a specially crafted value in the table parameter of the Microsoft SQL node. No additional user interaction or network position beyond the standard authenticated access is required [1][2].

Impact

Successful exploitation results in global prototype pollution, polluting Object.prototype for the entire n8n server process [1][2]. This causes application-wide validation failures, making the n8n instance completely non-functional until the server process is restarted. The impact is a denial of service (availability loss) with no direct confidentiality or integrity compromise [1][2].

Mitigation

The issue has been fixed in n8n version 2.24.0 [1][2]. Users should upgrade to this version or later. If immediate upgrade is not possible, administrators can temporarily limit workflow creation and editing permissions to fully trusted users, or disable the Microsoft SQL node by adding n8n-nodes-base.microsoftSql to the NODES_EXCLUDE environment variable [1][2]. These workarounds do not fully remediate the risk and should only be used as short-term measures [1][2].