n8n users can achieve arbitrary code execution on the n8n host by adding a Git Node component
( , 1.113.0)
A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution.
This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows.
Create a Git Node with a "Clone Operation" using the following source repository - https://github.com/assaf-levkovich-jf/n8n-repo-test.git
Observe that the Output panel now includes the results of the pre-commit hook command (for POC purposes, the command simply echos the environment variables keys, but not the values)
Disable or restrict the use of the Git Node in workflows where repository content cannot be fully trusted.