CVE-2025-68697

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.0.0

Description n8n is a workflow automation platform. In self-hosted instances before version 2.0.0, when the Code node operates in legacy JavaScript execution mode, authenticated users with workflow editing permissions can execute internal functions within the Code node. This allows workflow editors to perform actions on the host system with the same privileges as the n8n process, including reading and writing files, subject to file access restrictions and OS/container permissions. Mitigation strategies include restricting file access to a dedicated directory using the N8N RESTRICT FILE ACCESS TO variable, ensuring the N8N BLOCK FILE ACCESS TO N8N FILES variable is set to true, and disabling high-risk nodes like the Code node using the NODES EXCLUDE variable if workflow editors are not fully trusted.

Recommendations Upgrade to version 2.0.0 or later. Set the N8N RESTRICT FILE ACCESS TO variable to a dedicated directory containing no sensitive data. Ensure the N8N BLOCK FILE ACCESS TO N8N FILES variable is set to true. Disable the Code node using the NODES EXCLUDE variable if workflow editors are not fully trusted.