Dangerous code in n8n - eval()
- Feb 3
- 1 min read
Updated: Feb 13
What this means (non-technical)
The eval() function executes JavaScript code that is provided as a string. If any part of that string comes from user input, you are allowing external data to become executable code.
In a Code node, this can give far more control than intended.
What usually goes wrong
If user input reaches eval(), someone can inject their own JavaScript.
That code runs inside your workflow and may:
Access workflow data.
Attempt to read environment variables.
Perform unexpected logic.
Even if you trust your current inputs, changes in upstream systems can eventually introduce unsafe data.
Because eval() executes dynamically, errors are often unpredictable and hard to debug.
When this becomes urgent
This becomes urgent when:
The Code node processes webhook or form data.
Multiple users can edit workflows.
The instance runs in production.
The server has access to sensitive systems.
The combination of dynamic execution and public input is especially risky.
Detect issues in your n8n workflows
|
Definitions
eval(): A JavaScript function that executes a string as code.
Dynamic code execution: Running code that is built at runtime rather than written directly in the script.
Disclaimer
This article highlights common patterns and risks seen in real-world n8n workflows. It’s meant to help you build more confidently and avoid surprises as your automation grows. Behavior can vary depending on your setup, version, and configuration.