Dangerous eval() in n8n
Why eval() is extremely dangerous and should never be used
What is this issue?
The eval() function executes arbitrary JavaScript code from a string. In n8n, using eval() allows attackers to inject and execute malicious code if they can control any input that reaches the eval statement.
Dangerous patterns:
•eval(userInput) - executing user-controlled strings•eval('(' + jsonString + ')') - parsing JSON with eval•new Function(code) - similar danger to eval•setTimeout(stringCode, ms) - when first arg is a string
Why is this dangerous?
Remote code execution
Attackers can execute any JavaScript code on your n8n server.
Data theft
Malicious code can access and exfiltrate workflow data, credentials, and environment variables.
Server compromise
Combined with sandbox escapes, eval can lead to full server control.
Lateral movement
A compromised n8n instance can be used to attack other internal systems.
How to fix it
- 1
Remove all eval() calls
There is no safe way to use eval() with user input. Remove it completely.
- 2
Use JSON.parse() for JSON
If parsing JSON, use JSON.parse() instead of eval().
- 3
Refactor dynamic code
Replace eval with proper logic—use switch statements, lookup objects, or conditional logic.
- 4
Audit code imports
Ensure no imported libraries use eval() internally with user-controlled input.
Scan your workflow now
Upload your n8n workflow JSON and detect any dangerous eval() usage in Code nodes.