Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-68668: Arbitrary Command Execution in n8n Python Code Node
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Jan 06, 2026
4 Mins Read
Moon

CVE-2025-68668: Arbitrary Command Execution in n8n Python Code Node

A newly disclosed security issue in n8n, tracked as CVE-2025-68668, has drawn attention from security teams because of its severity and potential impact. The vulnerability affects a core feature used by many teams to automate tasks and integrate systems, which makes understanding the risk especially important for organizations running n8n in production.

At a high level, the issue allows certain authenticated users to escape built-in safeguards and run system-level commands on the server hosting n8n. This blog post aims to explain what the vulnerability is, who is affected, how it can be exploited, and what practical steps users can take to reduce risk or fully remediate the issue.

What Is CVE-2025-68668 and Why Is It Critical?

CVE-2025-68668 (CVSS 9.9) is classified as a protection mechanism failure. It stems from a sandbox bypass in the Python Code Node that relies on Pyodide for execution.

Because the sandbox can be escaped, the isolation boundary between workflow code and the underlying operating system breaks down. The result is a vulnerability that directly impacts confidentiality and integrity, with a high potential for abuse.

CVE-2025-68668 (SOCRadar Vulnerability Intelligence)

CVE-2025-68668 (SOCRadar Vulnerability Intelligence)

This issue follows another recently disclosed critical n8n flaw, CVE-2025-68613, which also enabled high-impact code execution under specific conditions, highlighting a broader pattern of risk in workflow execution components.

Which n8n Versions Are Affected by CVE-2025-68668?

The vulnerability impacts all n8n versions from 1.0.0 up to, but not including, 2.0.0. Any deployment running within this range is considered vulnerable if the affected functionality is enabled.

The issue has been fully addressed starting with n8n version 2.0.0, where a more secure execution model is enabled by default.

Who Can Exploit This Vulnerability?

Exploitation of CVE-2025-68668 requires authenticated access, but the bar is relatively low. Any user who has permission to create or modify workflows can trigger the flaw. No user interaction is required beyond normal workflow execution, and the attack can be launched remotely over the network.

How Does the Python Code Node Lead to Command Execution?

The Python Code Node allows users to run Python logic as part of a workflow. In affected versions, this execution relies on Pyodide-based sandboxing. Due to flaws in that isolation model, an attacker can break out of the sandbox and execute arbitrary operating system commands. These commands run with the same privileges as the n8n process itself, which can be significant depending on how the service is deployed.

What Fixes and Workarounds Are Available?

The long-term fix is to upgrade to n8n 2.0.0, where a task runner-based native Python implementation is the default.

For users who cannot immediately upgrade, n8n’s advisory lists several mitigations:

  • Disable the Code Node entirely using the NODES_EXCLUDE environment variable.
  • Disable Python support in the Code Node by setting N8N_PYTHON_ENABLED=false.
  • Enable the more secure task runner–based Python sandbox using N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER.

These measures reduce exposure while organizations plan a full upgrade.

Turn Vulnerability Awareness Into Action With SOCRadar’s Continuous Threat Intelligence

Workflow automation platforms often sit at the center of business processes and integrations, which makes vulnerabilities like CVE-2025-68668 operationally significant. A flaw that enables command execution at the host level can quickly escalate if it goes unnoticed or untracked across environments.

This is where SOCRadar’s Cyber Threat Intelligence module becomes particularly relevant. By continuously monitoring newly disclosed CVEs, exploit activity, and vendor advisories, security teams can track vulnerabilities in near real time, assess their potential impact, and prioritize remediation efforts based on active threat context rather than static severity scores alone.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

In parallel, SOCRadar’s Attack Surface Management (ASM) capabilities help organizations maintain visibility into exposed assets where vulnerable services like n8n may be running. This added context allows teams to identify whether affected instances are internet-facing, misconfigured, or otherwise increasing risk.