Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusAffiliatesJobsAbout us
Contact
Submit TicketSend an EmailTelegramReport Abuse
Check it out
HOMEDOMAINS
CONTACT
Login
Sign InCreate an Account
No Comments

Severe Flaw Exposes n8n Hosts to Remote Command Execution

Featured Image of n8n Logo

 

A new critical security vulnerability has emerged in n8n, an open-source workflow automation platform, and it could enable an authenticated attacker to execute arbitrary system commands on the underlying host.

Specifically, security teams track the vulnerability as CVE-2025-68668, and it carries a CVSS score of 9.9. Researchers have described the flaw as a protection mechanism failure, underscoring its severity.

Affected Versions and Impact

Notably, the vulnerability affects versions from 1.0.0 up to, but not including, 2.0.0. In these versions, an authenticated user with permission to create or modify workflows can execute arbitrary operating system commands on the host running n8n. However, n8n has resolved the issue in version 2.0.0.

“A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide,” an advisory for the flaw states. “An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process.”

Meanwhile, n8n explained that it introduced a task runner-based native Python implementation in version 1.111.0 as an optional feature to improve security isolation. Users can enable this feature by configuring the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. With the release of version 2.0.0, n8n has made this implementation the default.

Recommended Workarounds and Mitigations

Until users upgrade, n8n recommends several workarounds, including the following steps:

  • Disable the Code Node by setting the environment variable
    NODES_EXCLUDE: ["n8n-nodes-base.code"]
  • Disable Python support in the Code node by setting
    N8N_PYTHON_ENABLED=false
  • Configure n8n to use the task runner-based Python sandbox via the
    N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables

Finally, the disclosure follows n8n’s remediation of another critical vulnerability, CVE-2025-68613 (CVSS score: 9.9), which could also lead to arbitrary code execution under certain circumstances.

 

Source: TheHackerNews

Read more at Impreza News

You might also like
CyberSecurity, Flaw, News
CyberSecurity, Flaw, News

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.