CVE Overview
CVE Name: n8n Vulnerable to Arbitrary Command Execution in Pyodide-based Python Code Node
CVE ID: CVE-2025-68668
CWE ID: CWE-693 – Protection Mechanism Failure
Disclosure Date: December 26, 2025
Credited Researchers: berkdedekarginoglu, VladimirEliTokarev
Severity & Risk Rating
- CVSS v3.1 Score: 9.9 / 10.0 (Critical)
- CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L - Severity Level: CRITICAL
- Exploit Complexity: Low
- Privileges Required: Low (authenticated user with workflow creation or modification permissions)
- User Interaction: None
- Scope: Changed
- Overall Impact: Host-level Remote Code Execution (RCE)
Affected Product Details
- Product: n8n (Open Source Workflow Automation Platform)
- Affected Versions: 1.0.0 through all 1.x.x releases (< 2.0.0)
- Fixed Version: 2.0.0
Exploitability & Threat Status
- Exploitability: High
- Exploit Availability:
- No publicly released proof-of-concept (PoC) at the time of writing
- Exploitation techniques are well understood and reproducible
- Attack Surface:
- Internal users
- Compromised credentials
- Insider threat scenarios
This vulnerability is especially dangerous because n8n is commonly deployed as an internet-facing automation service, often with elevated privileges and access to sensitive credentials.
Vulnerability Description
This vulnerability exists in the Python Code Node component of n8n.
The Python Code Node relies on Pyodide, a Python runtime designed to execute code inside a WebAssembly-based sandbox.
While Pyodide provides reasonable isolation in browser environments, its sandbox is not sufficient when used in a server-side Node.js context, as implemented by n8n prior to version 2.0.0.
Because of this design weakness:
- The Pyodide sandbox can be bypassed
- Python code executed inside the Code Node can:
- Escape isolation
- Interact with the host operating system
- Execute arbitrary system commands
Once exploited, commands execute with the same privileges as the n8n process, which may be:
- Root (common in Docker deployments)
- A privileged service account
This turns a workflow feature into a full server compromise vector.
How the Vulnerability Can Be Exploited
Attack Prerequisites
An attacker must have:
- Valid authentication to the n8n instance
- Permission to create or modify workflows
- Access to the Python Code Node (not disabled via environment variables)
- A vulnerable n8n version (1.0.0 to < 2.0.0)
Exploitation Flow
- The attacker logs into the n8n web interface using valid credentials.
- A new workflow is created, or an existing workflow is modified.
- A Python Code Node is added to the workflow.
- The attacker inserts specially crafted Python code that abuses weaknesses in the Pyodide sandbox.
- The sandbox escape allows interaction with the underlying OS.
- The workflow is executed manually or via trigger, executing the payload on the server.
Potential Post-Exploitation Impact
Once compromised, attackers can:
- Access sensitive data
- Environment variables
- Database credentials
- API tokens and secrets
- Perform lateral movement
- Pivot into internal networks
- Establish persistence
- Backdoors
- Scheduled jobs
- Modified workflows
- Exfiltrate data
- Workflow logic
- Business and customer data
- Hijack resources
- Cryptomining
- Botnet activity
Proof of Concept (PoC) Status
- Public PoC: Not available at this time
- Exploitation Feasibility: High
Typical sandbox escape techniques in Pyodide-based systems include:
- Abusing JavaScript ↔ Python interop layers
- Leveraging unrestricted
eval_codefunctionality - Misusing module import mechanisms
- Accessing network or file primitives not properly constrained
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Relevance |
|---|---|---|
| T1059.006 | Command and Scripting Interpreter: Python | Malicious Python execution via Code Node |
| T1059 | Command and Scripting Interpreter | Parent technique |
| T1190 | Exploit Public-Facing Application | n8n often exposed externally |
| T1068 | Exploitation for Privilege Escalation | Sandbox escape |
| T1203 | Exploitation for Client Execution | Workflow execution triggers payload |
Associated CAPEC Patterns
- CAPEC-1 – Accessing Functionality Not Properly Constrained by ACLs
- CAPEC-17 – Using Malicious Files
- CAPEC-22 – Exploiting Trust in Client
- CAPEC-36 – Using Unpublished Interfaces or Functionality
- CAPEC-237 – Escaping a Sandbox by Calling Signed Code
Detection & Monitoring Guidance
Recommended Log Sources
- n8n Application Logs
- n8n Workflow Execution Logs
- Host-based Audit Logs (auditd, Windows Event Logs)
- Network Logs (firewall, proxy, IDS)
- Container / Orchestration Logs
- Docker daemon logs
- Kubernetes pod logs
Suspicious Indicators
- Python Code Nodes containing:
os.systemsubprocessos.popen
- Access to sensitive file paths:
/etc/passwd/etc/shadow~/.ssh
- Unexpected child processes spawned by n8n:
bash,sh,python,curl,wget,nc
- Outbound connections from n8n to unknown IPs
- Workflow changes made by non-admin users
- Execution during unusual hours or long runtimes
Detection Logic
KQL – Suspicious Process Spawning
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in ("node", "node.exe")
| where InitiatingProcessCommandLine has "n8n"
| where FileName in ("bash","sh","cmd.exe","powershell.exe","python","python3","curl","wget","nc","netcat")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc
Sigma Rule – n8n Python Sandbox Escape
title: n8n Python Code Node Suspicious Command Execution
status: experimental
logsource:
product: linux
service: auditd
detection:
selection_parent:
parent_exe|endswith: '/node'
parent_cmdline|contains: 'n8n'
selection_child:
exe|endswith:
- '/bash'
- '/sh'
- '/python'
- '/python3'
- '/curl'
- '/wget'
condition: selection_parent and selection_child
level: high
tags:
- attack.execution
- attack.t1059.006
- cve.2025.68668
Remediation & Mitigation
✅ Primary Fix (Strongly Recommended)
Upgrade to n8n version 2.0.0 or later
Version 2.0.0 replaces the vulnerable Pyodide-based execution with a task-runner-based native Python implementation, providing proper isolation.
| GitHub Security Advisory | https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v |
| NVD Entry | https://nvd.nist.gov/vuln/detail/CVE-2025-68668 |
| n8n Official Docs – Blocking Nodes | https://docs.n8n.io/hosting/securing/blocking-nodes/ |
| n8n Official Docs – Task Runners | https://docs.n8n.io/hosting/configuration/task-runners/ |
Temporary Workarounds (If Upgrade Is Not Immediately Possible)
Option 1 – Disable Code Node Completely
NODES_EXCLUDE='["n8n-nodes-base.code"]'
Option 2 – Disable Python Support Only (v1.104.0+)
N8N_PYTHON_ENABLED=false
Option 3 – Enable Task Runner-Based Python Sandbox
N8N_RUNNERS_ENABLED=true
N8N_NATIVE_PYTHON_RUNNER=true
Additional Hardening Recommendations
- Restrict workflow creation/modification permissions
- Run n8n with least-privilege OS permissions
- Segment network access to reduce lateral movement
- Enable centralized logging and SIEM ingestion
- Audit existing workflows for suspicious Python Code Nodes
- Perform regular security reviews using n8n audit features
Final Takeaway
This vulnerability enables full host compromise through a legitimate workflow feature.
Any organization running affected versions should treat this as an urgent, high-impact risk and prioritize immediate remediation.
