vulnerability

n8n:CVE-2025-68697: Legacy Code node allows arbitrary file read/write via internal helper functions

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:C/A:N)	Dec 26, 2025	Jan 9, 2026	Jan 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:C/A:N)

Published

Dec 26, 2025

Added

Jan 9, 2026

Modified

Jan 9, 2026

Description

In self-hosted n8n instances prior to version 2.0.0, where the Code node runs in legacy JavaScript execution mode, authenticated users can invoke internal helper functions to read or write files on the host filesystem with n8n process privileges. Affected versions: all versions prior to 2.0.0.

Solution

n8n-upgrade-2_0_0

References

CWE-269
CVE-2025-68697
https://attackerkb.com/topics/CVE-2025-68697
URL-https://nvd.nist.gov/vuln/detail/CVE-2025-68697

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today