CVE-2025-68668

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-68668

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68668.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68668

Aliases

GHSA-62r4-hw23-cc8v

Published

2025-12-26T21:49:20.695Z

Modified

2026-01-07T14:49:10.861609Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Details

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODESEXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8NPYTHONENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8NRUNNERSENABLED and N8NNATIVEPYTHONRUNNER environment variables.

Database specific

{
    "cwe_ids": [
        "CWE-693"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68668.json"
}

References

Affected packages

Git / github.com/n8n-io/n8n

Affected ranges

Type: GIT
Repo: https://github.com/n8n-io/n8n
Events: Introduced

f217e1f149534d4d658444327e0c0f1464c7d879

Fixed

a8ecda44f7627630bc8b78cf671405157ad41c4f

Affected versions

n8n@0.*

n8n@0.235.0

n8n@0.236.0

n8n@1.*

n8n@1.0.0

n8n@1.0.1

n8n@1.1.0

n8n@1.10.0

n8n@1.100.0

n8n@1.101.0

n8n@1.102.0

n8n@1.103.0

n8n@1.104.0

n8n@1.105.0

n8n@1.106.0

n8n@1.107.0

n8n@1.108.0

n8n@1.109.0

n8n@1.11.0

n8n@1.110.0

n8n@1.111.0

n8n@1.112.0

n8n@1.113.0

n8n@1.114.0

n8n@1.115.0

n8n@1.116.0

n8n@1.117.0

n8n@1.118.0

n8n@1.119.0

n8n@1.12.0

n8n@1.120.0

n8n@1.121.0

n8n@1.122.0

n8n@1.13.0

n8n@1.14.0

n8n@1.15.1

n8n@1.16.0

n8n@1.17.0

n8n@1.18.0

n8n@1.19.0

n8n@1.2.0

n8n@1.20.0

n8n@1.21.0

n8n@1.22.0

n8n@1.23.0

n8n@1.24.0

n8n@1.25.0

n8n@1.26.0

n8n@1.27.0

n8n@1.28.0

n8n@1.29.0

n8n@1.3.0

n8n@1.30.0

n8n@1.31.0

n8n@1.32.0

n8n@1.33.0

n8n@1.35.0

n8n@1.36.0

n8n@1.37.0

n8n@1.38.0

n8n@1.39.0

n8n@1.4.0

n8n@1.40.0

n8n@1.41.0

n8n@1.42.0

n8n@1.43.0

n8n@1.44.0

n8n@1.45.0

n8n@1.46.0

n8n@1.47.0

n8n@1.48.0

n8n@1.49.0

n8n@1.5.0

n8n@1.5.1

n8n@1.50.0

n8n@1.51.0

n8n@1.52.0

n8n@1.53.0

n8n@1.54.0

n8n@1.55.0

n8n@1.56.0

n8n@1.57.0

n8n@1.58.0

n8n@1.59.0

n8n@1.6.0

n8n@1.60.0

n8n@1.61.0

n8n@1.62.1

n8n@1.63.0

n8n@1.64.0

n8n@1.65.0

n8n@1.66.0

n8n@1.67.0

n8n@1.68.0

n8n@1.69.0

n8n@1.7.0

n8n@1.70.0

n8n@1.71.0

n8n@1.72.0

n8n@1.73.0

n8n@1.74.0

n8n@1.75.0

n8n@1.76.0

n8n@1.77.0

n8n@1.78.0

n8n@1.79.0

n8n@1.8.0

n8n@1.80.0

n8n@1.81.0

n8n@1.82.0

n8n@1.83.0

n8n@1.84.0

n8n@1.85.0

n8n@1.86.0

n8n@1.87.0

n8n@1.88.0

n8n@1.89.0

n8n@1.9.0

n8n@1.90.0

n8n@1.91.0

n8n@1.92.0

n8n@1.93.0

n8n@1.94.0

n8n@1.95.0

n8n@1.96.0

n8n@1.97.0

n8n@1.98.0

n8n@1.99.0

n8n@2.*

n8n@2.0.0-rc.0

n8n@2.0.0-rc.1

n8n@2.0.0-rc.2

n8n@2.0.0-rc.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68668.json"