CVE-2025-68668 Overview
CVE-2025-68668 is a critical sandbox bypass vulnerability affecting n8n, the open source workflow automation platform. The vulnerability exists in the Python Code Node component that utilizes Pyodide for Python execution. This flaw allows authenticated users with permission to create or modify workflows to escape the intended sandbox restrictions and execute arbitrary commands on the host system running n8n, inheriting the same privileges as the n8n process.
Critical Impact
Authenticated attackers can achieve remote code execution on the n8n host system by exploiting this sandbox bypass, potentially leading to complete system compromise.
Affected Products
- n8n versions from 1.0.0 to before 2.0.0
- n8n workflow automation platform (Node.js deployments)
- Self-hosted n8n instances with Python Code Node enabled
Discovery Timeline
- 2025-12-26 - CVE-2025-68668 published to NVD
- 2026-01-05 - Last updated in NVD database
Technical Details for CVE-2025-68668
Vulnerability Analysis
This vulnerability falls under CWE-693 (Protection Mechanism Failure), where the security sandbox designed to isolate Python code execution fails to properly contain malicious operations. The Pyodide-based sandbox implementation in n8n's Python Code Node contains flaws that allow attackers to break out of the restricted execution environment.
When users create or modify workflows containing Python Code Nodes, the platform is designed to execute Python code within a sandboxed Pyodide environment. However, the sandbox implementation contains exploitable weaknesses that allow code to interact with the underlying host system. This effectively transforms a legitimate workflow automation feature into a remote code execution vector.
The attack requires authentication and workflow modification permissions, but these are common privileges in many n8n deployments. Once exploited, the attacker gains command execution capabilities equivalent to the n8n process owner, which often runs with elevated privileges in production environments.
Root Cause
The root cause of CVE-2025-68668 lies in the inadequate implementation of the Pyodide-based Python sandbox within n8n's Code Node. The Protection Mechanism Failure (CWE-693) indicates that the sandbox boundaries were not properly enforced, allowing Python code to escape the intended isolation layer and interact directly with the host operating system. The sandbox failed to properly restrict access to dangerous primitives or system interfaces that could be abused to execute arbitrary commands.
Attack Vector
The attack vector for this vulnerability is network-based, requiring an authenticated attacker with workflow creation or modification permissions. The attacker crafts a malicious workflow containing a Python Code Node with specially constructed code designed to escape the Pyodide sandbox. When this workflow is executed, the malicious code breaks out of the sandbox and executes arbitrary commands on the host system.
The exploitation chain involves:
- Authenticating to the n8n instance with appropriate permissions
- Creating or modifying a workflow to include a Python Code Node
- Inserting sandbox escape payload into the Python code block
- Executing the workflow, triggering command execution on the host
The vulnerability mechanism leverages weaknesses in how Pyodide's isolation boundaries interact with the n8n runtime environment. Attackers can potentially access file systems, execute system commands, or establish reverse shells, all running with the privileges of the n8n process. For detailed technical analysis of the sandbox escape mechanism, refer to the Smartkeyss CVE-2025-68668 Analysis.
Detection Methods for CVE-2025-68668
Indicators of Compromise
- Unexpected workflow modifications involving Python Code Nodes, especially from unusual accounts
- Suspicious process spawning from the n8n process with unexpected command-line arguments
- Anomalous outbound network connections originating from the n8n server
- Unusual file system access patterns from the n8n process outside normal operational directories
- Authentication events followed by immediate workflow creation or modification activities
Detection Strategies
- Monitor n8n audit logs for workflow creation and modification events, particularly those involving Code Nodes
- Implement process monitoring to detect child processes spawned by the n8n application with suspicious characteristics
- Deploy endpoint detection rules to identify sandbox escape patterns and unauthorized system calls
- Configure network monitoring to detect unusual egress traffic from n8n servers
Monitoring Recommendations
- Enable comprehensive logging for n8n workflow operations and user authentication events
- Implement SentinelOne behavioral AI monitoring on n8n host systems to detect post-exploitation activities
- Configure alerts for Python Code Node usage by non-administrative accounts
- Monitor system resource utilization for anomalies indicating unauthorized command execution
How to Mitigate CVE-2025-68668
Immediate Actions Required
- Upgrade n8n to version 2.0.0 or later immediately to receive the security patch
- Audit existing workflows for potentially malicious Python Code Nodes
- Review user permissions and restrict workflow modification capabilities to trusted users only
- Implement network segmentation to limit the blast radius of potential exploitation
Patch Information
The vulnerability has been patched in n8n version 2.0.0. Organizations running affected versions (1.0.0 through 1.x.x) should prioritize upgrading to the patched version. The official security advisory is available on the n8n GitHub Security Advisory page.
Workarounds
- Disable the Code Node entirely by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]"
- Disable Python support in the Code Node by setting N8N_PYTHON_ENABLED=false (available in n8n version 1.104.0 and later)
- Configure n8n to use the task runner based Python sandbox via N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables
# Configuration to disable Python Code Node functionality
# Option 1: Disable the Code Node entirely
export NODES_EXCLUDE='["n8n-nodes-base.code"]'
# Option 2: Disable Python support only (n8n 1.104.0+)
export N8N_PYTHON_ENABLED=false
# Option 3: Use task runner based sandbox
export N8N_RUNNERS_ENABLED=true
export N8N_NATIVE_PYTHON_RUNNER=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
