CVE-2025-68668

Name of the Vulnerable Software and Affected Versions n8n versions 1.0.0 through less than 2.0.0

Description n8n is an open source workflow automation platform. A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide, affecting versions from 1.0.0 up to, but not including, 2.0.0. An authenticated user with permission to create or modify workflows can exploit this issue to execute arbitrary commands on the host system running n8n, with the same privileges as the n8n process. This vulnerability, tracked as CVE-2025-68668, has a CVSS score of 9.9 (Critical). Workarounds include disabling the Code Node by setting the environment variable

NODES EXCLUDE

to "["n8n-nodes-base.code"]", disabling Python support in the Code node by setting the environment variable

N8N PYTHON ENABLED

to false (available in n8n version 1.104.0), and configuring n8n to use the task runner based Python sandbox via the

N8N RUNNERS ENABLED

and

N8N NATIVE PYTHON RUNNER

environment variables. The task runner-based Python implementation became the default starting with n8n version 2.0.0.

Recommendations Upgrade to n8n version 2.0.0 or later. As a temporary workaround, disable the Code Node by setting the environment variable

NODES EXCLUDE

to "["n8n-nodes-base.code"]". As a temporary workaround, disable Python support in the Code node by setting the environment variable

N8N PYTHON ENABLED

to false. As a temporary workaround, configure n8n to use the task runner based Python sandbox via the

N8N RUNNERS ENABLED

and

N8N NATIVE PYTHON RUNNER

environment variables.