Executive Summary

Cyera Research Labs has disclosed a critical vulnerability in n8n (CVE-2025-68668, CVSS 9.9) that allows authenticated attackers to escape the Python sandbox in n8n’s Code node and achieve remote code execution (RCE). Due to n8n’s role as a centralized automation and integration platform, successful exploitation can lead to organization-wide compromise, including credential theft, privilege escalation, and abuse of trusted integrations.

This finding follows previous high-impact n8n vulnerabilities and highlights a broader security risk in modern workflow automation and agentic AI execution platforms.

Why This Vulnerability Matters

n8n is not just a workflow tool — it functions as an automation control plane. Organizations rely on it to orchestrate actions across:

• Databases
• Cloud infrastructure
• SaaS platforms
• Identity and internal systems

To do this, n8n stores long-lived, high-privilege credentials such as API keys, OAuth tokens, and database passwords. Compromising n8n therefore means compromising the trust relationships between many systems at once.

Root Cause: Unsafe Sandbox Design

The vulnerability originates from how n8n executes Python code using Pyodide. While n8n attempted to secure execution by blocking specific dangerous functions (for example, os.system), this approach relied on a blocklist model rather than true capability isolation.

Key design flaw

Blocking individual functions does not remove the underlying capability.

Attackers were able to reach the same privileged operations through alternative, unblocked execution paths.

Confirmed Sandbox Escape Techniques

The research confirmed two independent sandbox bypasses:

• ctypes-based escape: Python’s Foreign Function Interface (ctypes) can directly invoke native functions such as libc.system(), bypassing the blocked os.system wrapper.

• Alternate code evaluation path: The internal _pyodide._base.eval_code() function allows execution in a context where n8n’s security patches are not applied, restoring access to blocked operations.

Both techniques allow attackers to execute operating system commands with the same privileges as the n8n process.

From RCE to Full Platform Compromise

Once RCE is achieved, the impact escalates rapidly:

• Access to n8n’s runtime environment
• Direct access to the mounted n8n database
• Ability to modify user roles (e.g., upgrade a normal user to admin)
• Full visibility into all stored credentials and workflows
• Abuse of trusted integrations to pivot into cloud, SaaS, and internal systems

This represents a collapse of trust boundaries, turning a low-privilege workflow user into an organization-wide threat actor.

• Security Impact Overview
• Attack Vector: Network
• Privileges Required: Low (authenticated workflow author)
• User Interaction: None
• Impact Scope: Changed (cross-system compromise)
• Confidentiality & Integrity: High
• Availability: Secondary concern

The CVSS 9.9 rating reflects how easily exploitable and far-reaching the impact is in real-world deployments.

Mitigation and Remediation

Immediate Actions

If upgrading is not immediately possible:

• Disable Python execution in n8n
• Or disable the Code node entirely using environment configuration

Long-Term Fix

Migrate away from legacy Pyodide execution

• Adopt runner-based, process-isolated execution, as recommended by n8n
• Treat workflow code execution as untrusted by default

References

Original full technical analysis by Cyera Research Labs

n8n Security Advisory: GHSA-62r4-hw23-cc8v

CVE-2025-68668