n8n Node.js Package < 1.123.18 / 2.x < 2.5.0 Arbitrary File Read (CVE-2026-25052)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(298985);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/16");

  script_cve_id("CVE-2026-25052");

  script_name(english:"n8n Node.js Package < 1.123.18 / 2.x < 2.5.0 Arbitrary File Read (CVE-2026-25052)");

  script_set_attribute(attribute:"synopsis", value:
"The n8n Node.js Package installed on the remote host is affected by an arbitrary file read vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the n8n Node.js Package installed on the remote host is prior to 1.123.18, or 2.x prior to 2.5.0. It
is, therefore, affected by an arbitrary file read vulnerability:

  - A vulnerability in the file access controls allows authenticated users with permission to create or modify
    workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration
    data and user credentials, leading to complete account takeover of any user on the instance. (CVE-2026-25052)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f486db8d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to n8n Node.js Package version 1.123.18 or 2.5.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-25052");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/02/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_modules_win_installed.nbin", "nodejs_modules_linux_installed.nbin", "nodejs_modules_mac_installed.nbin");
  script_require_keys("Host/nodejs/modules/enumerated");

  exit(0);
}

include('vcf_extras_nodejs.inc');

get_kb_item_or_exit('Host/nodejs/modules/enumerated');

var app = 'n8n';
var app_info = vcf_extras::nodejs_modules::get_app_info(app:app);

if (empty_or_null(app_info))
  audit(AUDIT_NOT_INST, app);

var constraints = [
  {'fixed_version':'1.123.18'},
  {'min_version':'2.0.0', 'fixed_version':'2.5.0'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);