n8n Microsoft SQL Node Prototype Pollution Vulnerability
An authenticated user with permission to create or modify workflows can achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter.
What changed
An authenticated user with permission to create or modify workflows can achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide, causing application-wide validation failures and rendering the n8n instance non-functional until restarted.
Who it affects
All n8n instances where authenticated users can create or modify workflows, and the Microsoft SQL node is enabled.
What to do today
Upgrade to n8n version 2.24.0 or later immediately. If upgrade is not possible, limit workflow creation/editing permissions to trusted users and disable the Microsoft SQL node via NODES_EXCLUDE environment variable.