Critical and High Severity N8n Sandbox Flaws Allow RCE

n8n has become a cornerstone for businesses seeking low‑code workflow automation, integrating AI services, APIs, and custom scripting. Its appeal lies in the flexibility to embed JavaScript or Python code directly within workflows, a feature that depends heavily on robust sandboxing to isolate user‑supplied scripts from the host environment. When that isolation fails, the entire automation layer becomes a vector for privilege escalation, potentially compromising downstream systems that rely on the orchestrated processes.

The disclosed vulnerabilities illustrate two distinct bypass techniques. The JavaScript engine’s handling of the legacy with statement allowed attackers to reach the global Function constructor, effectively breaking out of the sandbox and running code in the main n8n process. Meanwhile, the Python node’s restrictive policy was undermined by clever use of string formatting and Python 3.10’s exception handling, which reconstructed forbidden objects without direct imports. Both exploits require only the ability to create or modify a workflow—a permission commonly granted to internal users—making the attack surface broader than typical external threats.

n8n’s rapid response, delivering patches for versions 1.123.17, 2.4.5, 2.5.1 (JavaScript) and 1.123.14, 2.3.5, 2.4.2 (Python), underscores the urgency of maintaining up‑to‑date automation stacks. Organizations should audit workflow permissions, enforce least‑privilege principles, and monitor for anomalous script activity. As automation adoption accelerates, vendors must prioritize hardened execution environments to preserve confidence in the security of business process orchestration.