n8n: NoSQL Injection in MongoDB Node Find And Replace Operation

Vulnerability

In n8n versions prior to 2.24.0, the MongoDB node's Find And Replace operation does not validate user-supplied filter values before passing them to MongoDB as query filters. An authenticated user with workflow edit access can supply a malicious filter value, enabling NoSQL injection. This affects all versions before the fix [1][2].

Exploitation

An attacker must have an authenticated n8n account with workflow creation or editing permissions. The attacker crafts a workflow using the MongoDB node's Find And Replace operation and provides a malicious filter value (e.g., using MongoDB operators like $ne, $gt, or regex) that matches unintended documents. When the workflow executes, the injected filter is sent to MongoDB, causing the operation to match and overwrite documents beyond the intended scope [1][2].

Impact

Successful exploitation allows the attacker to overwrite arbitrary documents in the MongoDB collection with attacker-controlled content. This can lead to data integrity loss, unauthorized modification of records, and potential further compromise depending on the application's use of the database. The confidentiality and availability of the database are not directly affected, but integrity is compromised [1][2].

Mitigation

The issue is fixed in n8n version 2.24.0. Users should upgrade to this version or later. If immediate upgrade is not possible, administrators can limit workflow creation and editing permissions to trusted users only, or disable the MongoDB node by adding n8n-nodes-base.mongoDb to the NODES_EXCLUDE environment variable. These workarounds are temporary and do not fully remediate the risk [1][2].