n8n Code Node Legacy Execution Mode File Read/Write Vulnerability

A vulnerability exists in self-hosted n8n instances prior to version 2.0.0, where the Code node operates in legacy JavaScript execution mode. Authenticated users with workflow editing rights can access internal helper functions within the Code node. This capability allows them to perform file read and write operations on the host filesystem, depending on the instance's file-access settings and the operating system or container permissions. Although n8n versions 1.2.1 and above block access to the n8n home directory by default, this restriction does not apply to other filesystem areas unless additional limitations are set.

Impact

Exploitation of this vulnerability could lead to unauthorized file read and write operations on the host filesystem, potentially allowing sensitive information to be accessed or manipulated.

Remediation

Users can upgrade to n8n version 2.0.0 or later, where task runners are enabled by default for Code node execution. For n8n versions 1.71.0 and above, task runners can be activated by setting 'N8N_RUNNERS_ENABLED=true'. If an immediate upgrade is not possible, file operations can be restricted by setting 'N8N_RESTRICT_FILE_ACCESS_TO' to a dedicated directory that does not contain sensitive data, keeping 'N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true' to prevent access to the n8n home directory and user-defined config files, and disabling high-risk nodes like the Code node using 'NODES_EXCLUDE' if workflow editors are not fully trusted.