A critical security flaw has been uncovered in the popular open-source platform n8n, and it's a doozy! This vulnerability, with a staggering CVSS score of 9.9, could potentially allow authenticated attackers to take control and execute system commands on the underlying host.
The issue, tracked as CVE-2025-68668, is a result of a protection mechanism failure. It affects n8n versions from 1.0.0 to 2.0.0, and here's the scary part: an authenticated user with workflow creation or modification permissions can exploit this flaw to run arbitrary commands on the host system, potentially causing significant damage.
But here's where it gets controversial... n8n introduced a task runner-based native Python implementation in version 1.111.0, which could have provided better security isolation. However, this feature was optional, and users had to manually enable it by configuring specific environment variables. With the release of version 2.0.0, this implementation became the default, addressing the vulnerability.
To mitigate the risk, n8n recommends a few workarounds: disabling the Code Node, disabling Python support within the Code node, and configuring n8n to use the task runner-based Python sandbox. These steps aim to prevent potential exploitation and ensure the security of n8n users.
This disclosure comes on the heels of another critical vulnerability (CVE-2025-68613) that n8n addressed, which also carried a CVSS score of 9.9. This highlights the importance of staying vigilant and keeping up with security updates.
So, what are your thoughts on this critical vulnerability? Do you think n8n's response was sufficient, or should they have taken more proactive measures? We'd love to hear your opinions in the comments below!
