GHSA-365g-vjw2-grx8
HIGHn8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
n8n-nodes-basenpmn8nnpmDescription
Impact
The Execute Command node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is intended for advanced automation and can be useful in certain workflows, it poses a security risk if all users with access to the n8n instance are not fully trusted.
An attacker—either a malicious user or someone who has compromised a legitimate user account—could exploit this node to run arbitrary commands on the host machine, potentially leading to data exfiltration, service disruption, or full system compromise.
This vulnerability affects all n8n deployments where:
- The
Execute Commandnode is enabled, and - Not all user accounts are strictly controlled and trusted.
n8n.cloud is not impacted.
Patches
No code changes have been made to alter the behavior of the Execute Command node. The recommended mitigation is to disable the node by default in environments where it is not explicitly required.
Future n8n versions may change the default availability of this node.
Workarounds
Administrators can disable the Execute Command node by setting the following environment variable before starting n8n:
export NODES_EXCLUDE: "[\"n8n-nodes-base.executeCommand\"]"
References
n8n docs: Execute Command n8n docs: Blocking nodes
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | n8n-nodes-base | all versions | No fix |
| 📦npm | n8n | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for n8n-nodes-base. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of n8n-nodes-base has shipped for GHSA-365g-vjw2-grx8 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-365g-vjw2-grx8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-365g-vjw2-grx8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-365g-vjw2-grx8 in your dependencies?
O3 detects GHSA-365g-vjw2-grx8 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.