Detections
Analytics

n8n Node.js Package 1.x < 2.0.0 Arbitrary Command Execution (N8scape)

critical Nessus Plugin ID 282599

Synopsis

The n8n Node.js Package installed on the remote host is affected by an arbitrary command execution vulnerability.

Description

The version of the n8n Node.js Package installed on the remote host is 1.x prior to 2.0.0. It is, therefore, affected by an arbitrary command execution vulnerability:

 - n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE, disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to n8n Node.js Package version 2.0.0 or later.

See Also

http://www.nessus.org/u?e07ff0ce

Plugin Details

Severity: Critical

ID: 282599

File Name: n8n_nodejs_package_2_0_0.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/12/2026

Updated: 1/12/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.9

CVSS v2

Risk Factor: High

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P

CVSS Score Source: CVE-2025-68668

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: Host/nodejs/modules/enumerated

Patch Publication Date: 12/8/2025

Vulnerability Publication Date: 12/26/2025

Reference Information

CVE: CVE-2025-68668

CWE: 693