## https://sploitus.com/exploit?id=F0EBFEE4-2AA9-59AD-8CEB-0640202D465A
# N8Scape: CVE-2025-68668 Breakdown
This is my personal writeup and analysis of CVE-2025-68668, a critical severity (CVSS 9.9) post-authentication remote code execution vulnerability in n8n, the open source workflow automation platform.
The original research was published by Cyera Research Labs (Vladimir Tokarev and Ofek Itach) in January 2026. This repo is not their work โ it's my attempt to read through their findings, understand what actually happened technically, and write it back out in plain language.
This writeup was produced as part of an internship project at **Cryptonic Area**, as an exercise in understanding real vulnerability research, understanding it technically, and communicating it clearly.
## What this covers
The report walks through how n8n's Python execution environment works, where the security model breaks down, and how two independent sandbox escape techniques give an attacker full OS command execution from inside a standard Code node. It also covers how that initial foothold quickly escalates to full administrative access across the entire n8n instance, including every stored credential and connected integration.
The sections are written the way I understood things after going through the original PoC and advisory, so it reads more like a study guide than a formal report. Technical components like `ctypes`, `libc`, Pyodide, and `eval_code` are all explained from first principles so the attack chain makes sense without needing to already know those tools.
## What is not included
There is no working exploit code here. The steps to reproduce section describes the attack chain conceptually so the risk is clear, but nothing in this repo is intended to be used to exploit anything.
## Source and credit
The original vulnerability research and disclosure is by Cyera Research Labs. Their official advisory is tracked under GHSA-62r4-hw23-cc8v. All credit for finding and responsibly disclosing this vulnerability belongs to them.