CVE-2025-68668

🗓️ 26 Dec 2025 21:49:20Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 16 Media mentions👁 106 Views🌐 WEB

CVE-2025-68668: n8n Python Code Node Pyodide allows arbitrary command execution before 2.0.0; fixed in 2.0.0.

Reporter	Title	Published	Views	Family All 29
GithubExploit	Exploit for Improper Input Validation in N8N	30 Jan 202622:38	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in N8N	9 Apr 202611:09	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in N8N	24 Feb 202605:04	–	githubexploit
GithubExploit	Exploit for Protection Mechanism Failure in N8N	22 Feb 202610:16	–	githubexploit
Circl	CVE-2025-68668	26 Dec 202522:27	–	circl
CNNVD	n8n 安全漏洞	26 Dec 202500:00	–	cnnvd
Cvelist	CVE-2025-68668 n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node	26 Dec 202521:49	–	cvelist
EUVD	EUVD-2025-205454	26 Dec 202518:18	–	euvd
Github Security Blog	n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node	26 Dec 202518:18	–	github
Tenable Nessus	n8n Node.js Package 1.x < 2.0.0 Arbitrary Command Execution (N8scape)	12 Jan 202600:00	–	nessus

NVD

Vulners

Node

n8n n8nRange1.0.0–2.0.0node.js

[
  {
    "vendor": "n8n-io",
    "product": "n8n",
    "versions": [
      {
        "version": ">= 1.0.0, < 2.0.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v
smartkeyss	www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n

Parameter	Position	Path	Description	CWE
document	upload data	form/vulnerable-form	Unauthenticated form with file upload can trigger the AFR → token forge → sandbox bypass → RCE chain under vulnerable workflow configurations.	CWE-693

17 Jun 2026 09:59Current

7.3High risk

Vulners AI Score7.3

CVSS 3.19.9

EPSS0.12685

SSVC

CWE-693