Audit8n
Security issue

Unsafe module import in n8n

Why importing npm modules in Code nodes can create security vulnerabilities

What is this issue?

When Code nodes use require() or import to load external modules, they can execute arbitrary code with server-level permissions. This bypasses n8n's security model and can lead to remote code execution.

Risky import patterns:

  • require('child_process') for command execution
  • require('fs') for file system access
  • require('net') for network connections
  • Dynamic require with template strings

Why is this dangerous?

Remote code execution

Imported modules can execute arbitrary commands on the server.

File system access

Modules can read, write, or delete files outside n8n's scope.

Network exfiltration

Malicious code can open connections to external servers.

Privilege escalation

Modules run with n8n's full permissions, not isolated.

How to fix it

  1. 1

    Restrict allowed modules

    Configure N8N_NODE_OPTIONS to limit which modules can be imported.

  2. 2

    Use built-in methods

    n8n provides built-in methods for common tasks—use them instead of raw imports.

  3. 3

    Create custom nodes

    For complex logic, create a proper custom node with code review and testing.

  4. 4

    Enable task runner isolation

    Run Code nodes in isolated containers that restrict module access.

Scan your workflow now

Upload your n8n workflow JSON and detect unsafe module imports in Code nodes.

Scan for import issues

Related resources

Related security issues

Dangerous evalRCE risk execute commandEnvironment access