"The vulnerability, tracked as CVE-2025-68668, is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure. It affects n8n versions from 1.0.0 up to, but not including, 2.0.0, and allows an authenticated user with permission to create or modify workflows to execute arbitrary operating system commands on the host running n8n. The issue has been addressed in version 2.0.0."
"With the release of version 2.0.0, the implementation has been made the default. As workarounds, n8n is recommending that users follow the outlined steps below - Disable the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]" Disable Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false Configure n8n to use the task runner-based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables"
A critical sandbox bypass vulnerability in n8n's Python Code Node using Pyodide (CVE-2025-68668) allows authenticated users with create/modify workflow permissions to execute arbitrary operating system commands on the host with the privileges of the n8n process. The flaw is rated 9.9 on the CVSS scale and affects n8n versions from 1.0.0 up to, but not including, 2.0.0. n8n introduced an optional task-runner native Python implementation in 1.111.0 for improved isolation and made it the default in 2.0.0. Recommended mitigations include disabling the Code Node, disabling Python in the Code node, or enabling the task-runner Python sandbox. A separate critical RCE (CVE-2025-68613) was also recently addressed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]