Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-62r4-hw23-cc8v

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node
Back to all
CVE

GHSA-62r4-hw23-cc8v

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Impact

A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide.

An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process.

Patches

In n8n version 1.111.0, a task-runner-based native Python implementation was introduced as an optional feature, providing a more secure isolation model.

To enable it, you need to configure the N8NRUNNERSENABLED and N8NNATIVEPYTHON_RUNNER environment variables.

This implementation became the default starting with n8n version 2.0.0.

Workarounds

  • Disable the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]" (Docs)
  • Disable Python support in the Code node by setting the environment variable N8NPYTHONENABLED=false, which was introduced in n8n version 1.104.0.
  • Configure n8n to use the task runner based Python sandbox via the N8NRUNNERSENABLED and N8NNATIVEPYTHON_RUNNER environment variables. (Docs)

Resources

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.9
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
C
H
U
9.9
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Related Resources

No items found.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v, https://nvd.nist.gov/vuln/detail/CVE-2025-68668, https://github.com/n8n-io/n8n, https://www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n

Severity

9.9

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.9
EPSS Probability
0.00101%
EPSS Percentile
0.28521%
Introduced Version
1.0.0,1.12.0,0.226.0
Fix Available
2.0.0,2.0.0-rc.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading