CVE-2025-68668

Name of the Vulnerable Software and Affected Versions n8n versions 1.0.0 through less than 2.0.0

Description n8n is an open source workflow automation platform. A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this issue to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This vulnerability is rated as critical with a CVSS score of 9.9. The vulnerability resides in the Pyodide sandbox within the Python Code Node, allowing authenticated users with workflow permissions to execute arbitrary operating system commands on the host. The issue has been patched in version 2.0.0.

Recommendations Upgrade to n8n version 2.0.0 or higher. Disable the Code Node by setting the environment variable

NODES EXCLUDE

to "["n8n-nodes-base.code"]". Disable Python support in the Code node by setting the environment variable

N8N PYTHON ENABLED

to false, which was introduced in n8n version 1.104.0. Configure n8n to use the task runner based Python sandbox via the

N8N RUNNERS ENABLED

and

N8N NATIVE PYTHON RUNNER

environment variables.