[GHSA-8398-gmmx-564h] n8n has a Python sandbox escape

[c0rydoras]

Updates

• References

Comments

• fix reference (the fsRealpath commit has nothing to do with the python task runner)

[github]

Hi there @csuermann! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR corrects an incorrect commit reference in the GitHub Security Advisory GHSA-8398-gmmx-564h for a Python sandbox escape vulnerability in n8n. The referenced commit was previously pointing to an unrelated fsRealpath commit, which has now been replaced with the correct commit that addresses the Python task runner security issue.

Changes:

• Updated the commit reference URL from the incorrect 5c69970acc7d37049deae67da861f92d2aaa9b03 (fsRealpath commit) to the correct 8607d372f78c388bb3691d9d5b52af7259ec7b1f (Python sandbox escape fix)
• Updated the advisory's modified timestamp to reflect this correction

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[helixplant]

Hi,
Thanks for sharing the 8607d37 commit. However, that commit is part of the 2.4.7 release, while the advisory states the issue is fixed in 2.4.8, and the n8n@2.4.7…n8n@2.4.8 compare shows only one code change in 2.4.8: 5c69970 (aside from version/changelog updates), so that’s the only commit we can currently tie to the correct patched version. Can you share how you identified 8607d37 as the fix for this advisory? I’m also pinging @csuermann to confirm the correct patched version/commit for this CVE.

[c0rydoras]

Can you share how you identified 8607d37 as the fix for this advisory?

I reported it ^^

Other n8n advisories have wrong versions (off by one) as well, see #6779 for another example

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[advisory-database]

Hi @c0rydoras! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!