A significant security flaw has recently been revealed in n8n, a widely used open-source workflow automation tool. This vulnerability poses a serious risk as it allows authenticated users to run arbitrary system commands on the host machine where n8n is installed.
Identified as CVE-2025-68668, this issue has garnered a severe rating of 9.9 on the CVSS (Common Vulnerability Scoring System), indicating a critical level of risk. Essentially, this vulnerability stems from a failure in its protective mechanisms, which could have devastating consequences if exploited.
The affected versions of n8n include all releases from 1.0.0 up to, but not including, 2.0.0. Specifically, any authenticated user with the ability to create or alter workflows can leverage this vulnerability to execute any operating system command on the server running n8n. Thankfully, this security issue has been rectified in version 2.0.0.
According to the advisory regarding this flaw, "A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide." This means that if an authenticated user possesses permissions to modify workflows, they can exploit this flaw to execute commands directly on the host system, holding the same privileges as the n8n process itself.
In response to these types of vulnerabilities, n8n has introduced a task runner-based native Python implementation starting from version 1.111.0, aimed at enhancing security isolation. Users can activate this feature by adjusting the environment variables N8NRUNNERSENABLED and N8NNATIVEPYTHON_RUNNER. With the rollout of version 2.0.0, this enhancement has now become the standard setting.
For those still using earlier versions of n8n, the team recommends several steps to mitigate risks:
- Disable the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"
- Turn off Python support in the Code Node by configuring the environment variable N8NPYTHONENABLED=false
- Set up n8n to utilize the task runner-based Python sandbox by adjusting the N8NRUNNERSENABLED and N8NNATIVEPYTHON_RUNNER environment variables.
This announcement follows another critical vulnerability disclosure related to n8n, identified as CVE-2025-68613, which also received a CVSS score of 9.9 and could lead to arbitrary code execution under certain conditions.
Did you find this information useful? Stay connected with us for more insightful updates by following us on Google News, Twitter, and LinkedIn.
