n8n CVE‑2025‑68668: Critical Python Sandbox Escape

A critical flaw in n8n’s Python Code Node (CVE‑2025‑68668) lets authenticated users run arbitrary OS commands on the host server. The issue, born from a Pyodide sandbox bypass, affects n8n versions 1.0.0–<2.0.0 and carries a CVSS score of 9.9—meaning high impact on confidentiality and integrity with low attack complexity. If you rely on n8n for workflow or business process automation, this is a high‑priority incident: insider misuse or compromised accounts can pivot from workflow edits to full system compromise.

In this guide, you’ll learn what the vulnerability is, how it’s exploited, risks to your environment, commercially relevant mitigation paths, and best practices mapped to NIST CSF, ISO/IEC 27001, CIS Controls, and MITRE ATT&CK.

What Is CVE‑2025‑68668? (Definition & Concepts)

CVE‑2025‑68668 is a protection mechanism failure (CWE‑693) in n8n’s Pyodide‑based Python Code Node. Authenticated users with workflow creation or modification rights can escape the Python sandbox and execute commands with the same privileges as the n8n process. Impact areas: data exfiltration, workflow tampering, credential theft, and lateral movement.

Affected versions: 1.0.0 up to (but not including) 2.0.0. Patched in 2.0.0, where a task‑runner‑based native Python implementation becomes the default security model.

How the Sandbox Bypass Works

Pyodide & Host Interaction

n8n previously executed Python within Pyodide (Python in WebAssembly). While Wasm sandboxes are strong in browsers, server‑side integration points (e.g., Pyodide’s js module bridging to host JS) can become dangerous if not aggressively isolated. In affected n8n builds, this bridge let Python code pierce sandbox boundaries and reach host capabilities, ultimately enabling OS command execution.

Privilege Boundary

Exploit code runs with the n8n process’s privileges—often enough to read secrets, manipulate workflows, or run shell commands. The exploit requires authentication (a low bar in multi‑tenant deployments or shared admin workflows) and no additional user interaction. Attack complexity is low and can be launched remotely.

Why It Matters for CISOs, SOCs, and DevOps

Threat detection & incident response: The attacker looks like a legitimate workflow editor, complicating detection. SIEM signals must correlate workflow edits with host command execution.
Zero trust implications: If least privilege is weak, routine editors gain system‑level influence.
Cloud security posture: In containerized/cloud‑hosted n8n, shared credentials, secrets, and integrations are at risk, enabling lateral movement into adjacent services.
Commercial impact: Workflow downtime hits automation pipelines, SLAs, and customer integrations, with potential compliance violations (e.g., access to regulated data).

CVSS 9.9 (Critical) underscores this risk profile; scope change indicates sandbox code can affect host resources beyond its normal boundary.

Real‑World Scenarios & Case Patterns

Malicious insider: A user with workflow edit rights injects Python that escapes the sandbox to dump environment variables, exfiltrate API keys, and trigger shell commands for data staging.
Compromised editor account: Phished or reused credentials let an attacker modify an existing workflow, adding stealthy Python steps that run on schedule and persist via job triggers.
Supply chain pivot: Attackers leverage n8n’s integrations (DBs, cloud services), using command execution to download tooling, create reverse shells, or plant persistence in adjacent infrastructure.

Common Mistakes & Misconceptions

“Only admins are risky.” False. Any editor can exploit this path; PR:L (low privileges required).
“Containers fully contain the blast radius.” Not necessarily. Command execution inside the container often exposes mounted volumes, service credentials, and network paths.
“We disabled Code Node globally; we’re safe.” Check for legacy or Python‑enabled variants, and confirm environment flags are correctly enforced.
“We’ll wait to upgrade.” Delaying increases insider risk and compliance exposure while workarounds can be misconfigured or bypassed.

The Fixes: Patches & Mitigations

1) Upgrade Strategy

Upgrade to n8n 2.0.0 or later. The release enables the task‑runner‑based native Python implementation by default, improving isolation.
- Why 2.0.0? It removes the vulnerable Pyodide model and hardens security defaults.

2) Strong Interim Mitigations (H3)

If immediate upgrade is not possible

Disable the entire Code Node Shell# n8n environment
NODES_EXCLUDE='[“n8n-nodes-base.code”]’
Show more lines
Disable Python support in Code Node (available since 1.104.0) Shell# n8n environment
N8N_PYTHON_ENABLED=false
Show more lines
Enable task‑runner‑based Python sandbox (available since 1.111.0) Shell# n8n environment
N8N_RUNNERS_ENABLED=true
N8N_NATIVE_PYTHON_RUNNER=true
Show more lines

Key takeaway: Upgrading to 2.0.0+ is the long‑term fix. Interim mitigations reduce exposure but rely on correct configuration and operational discipline.

Mitigation Options: Comparison Table

Option	Security Strength	Operational Impact	When to Use	Notes
Upgrade to 2.0.0+	High	Medium	Primary path	Default native Python task runner; hardened model.
Disable Code Node	High	High	Strict environments	Blocks all Code Node usage; simplest risk removal.
Disable Python in Code Node	Medium	Medium	Mixed JS/Python shops	Keeps JS; removes Python attack path.
Enable task‑runner sandbox (>=1.111.0)	Medium‑High	Medium	Pre‑upgrade hardening	Moves Python exec to isolated runner.

Detection & Response Playbook

Goal: Rapidly identify exploitation, contain impact, and eradicate persistence across workflows and hosts.

Hunt for indicators
- Unusual Code Node edits and new Python steps in critical workflows.
- Host process forks, shell invocations (/bin/sh, powershell), and network beacons from the n8n container/VM.
Correlate auth & edit events
- Tie editor actions to host telemetry (Sysmon, auditd, container runtime logs).
Contain
- Disable Code Node platform‑wide; rotate secrets loaded into n8n; block egress from the n8n runtime to reduce data exfiltration.
Eradicate
- Upgrade to 2.0.0+; rebuild containers; purge malicious workflow versions and restore from known‑good snapshots.
Recover & harden
- Reinstate least‑privilege editor roles, enforce MFA, and implement change‑control for workflow edits (peer review, approvals).
Post‑incident
- Map findings to MITRE ATT&CK (e.g., T1059.006 – Python, T1078 – Valid Accounts, T1202 – Indirect Command Execution), update detections and runbooks.

Best Practices & Actionable Steps

Governance & access control
- Enforce least privilege for workflow editors; separate development, staging, and production n8n instances.
Secrets hygiene
- Store credentials in external secret managers; limit ENV exposure. (n8n 2.0 strengthens env blocking defaults.)
Hardening & isolation
- Run n8n in dedicated namespaces/projects, apply read‑only FS where possible, and restrict outbound egress via firewall policies.
Observability
- Forward n8n audit logs, container runtime events, and host command telemetry to SIEM; alert on workflow edits to critical pipelines.
Patch cadence
- Track GitHub advisories and NVD; automate dependency checks and rolled upgrades.

Compliance & Regulatory Relevance

NIST CSF: Aligns to PR.AC (Access Control), PR.DS (Data Security), DE.CM (Monitoring), RS.MI (Mitigation).
ISO/IEC 27001: Controls for A.5.15 (Access control), A.8.16 (Secure development), A.8.23 (Technical vulnerability management).
CIS Controls: CIS 6 (Access control), CIS 12 (Network monitoring), CIS 18 (Penetration testing & red teaming).
SOC 2 (Security, Availability): Change management and logical access expected.
MITRE ATT&CK: Emphasize Execution, Credential Access, Exfiltration, and Lateral Movement pathways.

Board‑level summary: CVE‑2025‑68668 expands an editor’s capability from workflow scripting to system command execution, violating segregation of duties and least privilege principles—an urgent risk to regulated data and SLAs.

Tooling, Frameworks, and Standards

Standards/Frameworks: NIST CSF, ISO/IEC 27001, CIS Controls, MITRE ATT&CK.
Detection tooling: SIEM (Microsoft Sentinel, Splunk), EDR (Defender for Endpoint), container runtime auditing (Falco), and cloud‑native firewalls.
Vulnerability intel: Monitor GitHub Advisory Database and NVD for updates and related n8n issues (e.g., recent n8n RCEs).

Executive Risk‑Impact Analysis

Likelihood: Elevated in environments with many editors or shared credentials.
Impact: High data exposure (secrets, customer data), workflow sabotage, and service outages.
Time to remediate: Short for interim mitigations (env flags), Medium for full upgrade and regression testing.
Residual risk: Low post‑upgrade to 2.0.0+ with hardened runner and tightened access.

FAQs

Q1. Which versions are vulnerable?
n8n 1.0.0 up to, but not including, 2.0.0. Patch is available in 2.0.0.

Q2. Do attackers need admin rights?
No. Any authenticated user with workflow edit/creation permissions can exploit the flaw (PR:L).

Q3. What are the fastest mitigations if I can’t upgrade today?

Disable Code Node (NODES_EXCLUDE).
Disable Python in Code Node (N8N_PYTHON_ENABLED=false).
Enable task‑runner Python (N8N_RUNNERS_ENABLED, N8N_NATIVE_PYTHON_RUNNER).

Q4. What does the 9.9 CVSS score mean for my environment?
Critical severity, low complexity, no extra user interaction, and scope change—expect high confidentiality/integrity impact if exploited.

Q5. Will containers or cloud hosting fully protect me?
Not by themselves. Command execution within the runtime can still access mounted volumes, secrets, and network paths; harden isolation and restrict egress.

Q6. Who disclosed it?
The GitHub advisory credits csuermann and ties to GHSA‑62r4‑hw23‑cc8v for the official record.

Conclusion

CVE‑2025‑68668 is a critical, low‑complexity path from workflow editing to host command execution in n8n. The authoritative fix is upgrading to 2.0.0+—which enables the native Python task runner and tightens defaults (including environment protections). Until you upgrade, disable the Code Node or Python, and turn on the runner‑based sandbox to reduce risk.