n8n Node.js Package 1.x < 2.0.0 Arbitrary Command Execution (N8scape)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282599);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/23");

  script_cve_id("CVE-2025-68668");

  script_name(english:"n8n Node.js Package 1.x < 2.0.0 Arbitrary Command Execution (N8scape)");

  script_set_attribute(attribute:"synopsis", value:
"The n8n Node.js Package installed on the remote host is affected by an arbitrary command execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the n8n Node.js Package installed on the remote host is 1.x prior to 2.0.0. It is,
therefore, affected by an arbitrary command execution vulnerability:

  - n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass 
    vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission 
    to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host 
    system running n8n, using the same privileges as the n8n process. Workarounds for this issue involve 
    disabling the Code Node by setting the environment variable NODES_EXCLUDE, disabling Python support 
    in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced 
    in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the 
    N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e07ff0ce");
  script_set_attribute(attribute:"solution", value:
"Upgrade to n8n Node.js Package version 2.0.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-68668");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(693);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_modules_win_installed.nbin", "nodejs_modules_linux_installed.nbin", "nodejs_modules_mac_installed.nbin");
  script_require_keys("Host/nodejs/modules/enumerated");

  exit(0);
}

include('vcf_extras_nodejs.inc');

get_kb_item_or_exit('Host/nodejs/modules/enumerated');

var app = 'n8n';
var app_info = vcf_extras::nodejs_modules::get_app_info(app:app);

if (empty_or_null(app_info))
  audit(AUDIT_NOT_INST, app);

var constraints = [
  {'min_version':'1.0', 'fixed_version':'2.0.0'}
];


vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);