CVE-2025-68668 Overview
CVE-2025-68668 is a sandbox bypass vulnerability in n8n, an open source workflow automation platform. The flaw resides in the Python Code Node, which uses Pyodide to execute user-supplied Python code. Authenticated users with permission to create or modify workflows can break out of the Pyodide sandbox and execute arbitrary commands on the underlying host. The executed commands run with the same privileges as the n8n process. The issue affects versions from 1.0.0 up to but not including 2.0.0 and has been patched in version 2.0.0. The vulnerability is classified under [CWE-693] Protection Mechanism Failure.
Critical Impact
An authenticated workflow editor can escape the Python sandbox and execute arbitrary OS commands as the n8n process user, leading to full host compromise.
Affected Products
- n8n versions 1.0.0 through 1.x (prior to 2.0.0)
- n8n self-hosted deployments running the Pyodide-based Python Code Node
- n8n instances where N8N_PYTHON_ENABLED is not explicitly disabled
Discovery Timeline
- 2025-12-26 - CVE CVE-2025-68668 published to NVD
- 2026-01-05 - Last updated in NVD database
Technical Details for CVE-2025-68668
Vulnerability Analysis
The n8n Code Node lets workflow authors run Python snippets inside the workflow execution context. To isolate user code, n8n embeds Pyodide, a WebAssembly build of CPython that runs inside the Node.js process. The sandbox is intended to restrict access to host filesystem, network, and process APIs. The flaw allows an authenticated user to leverage Pyodide's JavaScript interop surface to reach Node.js host primitives. Once the JavaScript boundary is crossed, the attacker can invoke Node.js APIs such as child_process to spawn arbitrary processes. Because the Code Node executes inside the main n8n worker, command execution inherits the n8n process privileges, credentials, environment variables, and access to stored workflow secrets.
Root Cause
The root cause is an incomplete protection mechanism around the Pyodide runtime [CWE-693]. The sandbox relies on Python-level restrictions while leaving the underlying JavaScript bridge reachable. Pyodide exposes interfaces that allow Python code to obtain JavaScript objects, and n8n did not sufficiently restrict these crossings before version 2.0.0.
Attack Vector
Exploitation requires an authenticated account with permission to create or modify workflows. The attacker creates or edits a workflow containing a Python Code Node with a payload that pivots from the Pyodide context into Node.js. When the workflow runs, the payload executes shell commands on the host. Detailed exploitation steps are documented in the SmartKeys CVE-2025-68668 Analysis and the GitHub Security Advisory.
Detection Methods for CVE-2025-68668
Indicators of Compromise
- Unexpected child processes spawned by the n8n Node.js process, particularly sh, bash, curl, wget, or python
- New or modified workflows containing Python Code Nodes referencing JavaScript interop attributes such as pyodide, js, or globalThis
- Outbound network connections from the n8n host to unfamiliar IP addresses or domains shortly after workflow execution
- Access to /etc/passwd, .env files, or n8n encryption key files (~/.n8n/config) outside normal operations
Detection Strategies
- Audit workflow definitions in the n8n database for Code Nodes whose Python source references host or JavaScript objects
- Monitor process lineage for children of the n8n runtime that are not part of normal workflow execution
- Enable n8n audit logs and alert on workflow creation or modification events by non-administrative users
Monitoring Recommendations
- Forward n8n application logs and host process telemetry to a centralized logging or SIEM platform for correlation
- Track outbound network egress from the n8n host and baseline expected destinations per workflow
- Alert on changes to environment variables, service binaries, or scheduled tasks on the n8n host
How to Mitigate CVE-2025-68668
Immediate Actions Required
- Upgrade n8n to version 2.0.0 or later, which contains the patch for this vulnerability
- Review existing user accounts and revoke workflow create or modify permissions for untrusted users
- Audit recent workflow changes for suspicious Python Code Node content prior to patching
- Rotate credentials, API keys, and the n8n encryption key if compromise is suspected
Patch Information
The vendor released the fix in n8n version 2.0.0. Refer to the GitHub Security Advisory GHSA-62r4-hw23-cc8v for full remediation guidance and release notes.
Workarounds
- Disable the Code Node entirely by setting NODES_EXCLUDE=["n8n-nodes-base.code"]
- Disable Python support in the Code Node by setting N8N_PYTHON_ENABLED=false (available from n8n 1.104.0)
- Switch to the task runner based Python sandbox by setting N8N_RUNNERS_ENABLED=true and N8N_NATIVE_PYTHON_RUNNER=true
- Restrict workflow editor permissions to trusted administrators only until the upgrade is complete
# Configuration example: disable Python in the Code Node
export N8N_PYTHON_ENABLED=false
# Or exclude the Code Node entirely
export NODES_EXCLUDE='["n8n-nodes-base.code"]'
# Or enable the isolated task runner with native Python
export N8N_RUNNERS_ENABLED=true
export N8N_NATIVE_PYTHON_RUNNER=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

