Veracode Very high issues

Hi team,

I need help on how to solve this veracode Very high level issue on this n8n-custom.I have Attached Image in which that line no. 8 is generating high level issue. like. this description given by veracode : This call to vm.Script() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Can you please assist me how to solve this.

packages-> core → src-> Classloader.ts

thank you

Hey @Tanay_Acro,

This looks to be a false positive to me but lets see what @netroy thinks.

Hi @Jon ,

If any possible direction for this issues to solve it.

thank you

Hey @Tanay_Acro,

If you want to fix it yourself you would need to make your own fork of n8n and make any changes that you feel are needed. If you want us to look into it in more detail feel free to send the full report to our [email protected] inbox so we can look into it.

1 Like

looking at the rest of the code, vm module here is used here to execute only files internal to n8n, and no arbitrary code. and since n8n-core isn’t available in the Code node, I’m not sure if someone can actually exploit this.
Until we have a proof-of-concept for this exploit, I’d say that this is a false positive.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.