Vulnerability Issues on Hosted Version 1.64.1

Hi Everyone

I’ve got a few vulnerability issues on dependencies on my N8N (1.64.1) Hosted (docker) on my security checks process. I’d try to update them with “npm install” during the building process, but got no lucky with some of them…

I’m using the baseline from “n8nio/base”

Here is the list:
CVE Risk Package Type Location
CVE-2024-29415 High ip Npm /usr/local/lib/node_modules/npm/node_modules/ip/package.json
CVE-2022-25883 High semver Npm /usr/local/lib/node_modules/n8n/node_modules/utf7/node_modules/semver/package.json
CVE-2024-4367 High pdfjs-dist Npm /usr/local/lib/node_modules/n8n/node_modules/pdfjs-dist/package.json
CVE-2024-28863 Medium tar Npm /usr/local/lib/node_modules/npm/node_modules/tar/package.json
CVE-2024-35255 Medium @azure/identity Npm /usr/local/lib/node_modules/n8n/node_modules/tedious/node_modules/@azure/identity/package.json
CVE-2024-43796 Medium express Npm /usr/local/lib/node_modules/n8n/node_modules/express/package.json
CVE-2023-42282 Low ip Npm /usr/local/lib/node_modules/npm/node_modules/ip/package.json
CVE-2024-47764 Low cookie Npm /usr/local/lib/node_modules/n8n/node_modules/curlconverter/node_modules/cookie/package.json
CVE-2024-9143 Unknown openssl OS OS

Anyone knows if there is an easy way to solve this?

Information on your n8n setup

  • n8n version: 1.64.1
  • Database (default: SQLite): postgre
  • n8n EXECUTIONS_PROCESS setting (default: own, main): own
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
  • Operating system: Linux

Hey @Paulo_Jesus,

Welcome to the community :cake:

We have taken a look at these and it looks like while the packages have potential to be vulnerable depending on how you use them the way we are using them lowers the risk massively and there shouldn’t be an issue.

If you wanted to try and update them you could update the packages we use and run the tests to make sure nothing breaks and build a custom docker image from there.

Let me know if you have any questions on this.