Platform
nodejs
Component
n8n
Fixed in
2.0.1
2.0.0
CVE-2025-68697 describes an Arbitrary File Access vulnerability in n8n, a workflow automation platform. This vulnerability allows authenticated users with workflow editing access to read and write files on the n8n host system, potentially leading to data breaches or system compromise. The vulnerability affects self-hosted n8n instances running in legacy JavaScript execution mode and is fixed in version 2.0.0.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files stored on the n8n host. This includes configuration files, database backups, and potentially other application data. The ability to write files allows for further malicious actions, such as overwriting critical system files or injecting malicious code. The scope of the attack is limited by file-access restrictions configured within the n8n instance and the underlying operating system/container permissions. Successful exploitation requires an authenticated user with workflow editing privileges, making it a privilege escalation concern within the n8n environment.
This vulnerability was publicly disclosed on December 26, 2025. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept exploits are not currently available, but the vulnerability's nature suggests a moderate likelihood of exploitation if a PoC is released. The vulnerability's reliance on authenticated access limits its immediate widespread impact.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68697 is to upgrade to n8n version 2.0.0 or later, which addresses the vulnerable code execution path. If upgrading is not immediately feasible, consider disabling the legacy JavaScript execution mode within the Code node configuration. Additionally, ensure that file-access restrictions are properly configured within the n8n instance to limit the potential impact of a successful exploit. Review and tighten OS-level permissions on the n8n host to further restrict file access. There are no specific WAF rules or detection signatures readily available for this vulnerability, making proactive monitoring and timely patching crucial.
Upgrade n8n to version 2.0.0 or later. Alternatively, limit file operations by configuring N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory and ensure it does not contain sensitive data. Keep N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true to block access to .n8n and user-defined configuration files. Disable high-risk nodes (including the Code node) using NODES_EXCLUDE if you do not fully trust workflow editors.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68697 is a HIGH severity vulnerability in n8n allowing authenticated workflow editors to read/write files on the host system if using legacy JavaScript execution mode. It impacts versions prior to 2.0.0.
You are affected if you are running a self-hosted n8n instance with a version prior to 2.0.0 and are using the legacy JavaScript execution mode in the Code node.
Upgrade to n8n version 2.0.0 or later. As a temporary workaround, disable the legacy JavaScript execution mode in the Code node configuration.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests a potential risk if a public proof-of-concept is released.
Refer to the official n8n security advisories on their website or GitHub repository for the latest information and updates regarding CVE-2025-68697.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.