Home

Published

- 4 min read

Critical Alert: n8n Arbitrary Code Execution (CVE-2025-68613)

By William OGOU
n8n Code execution CVE-2025-68613 Workflow Automation Node.js Security PoC exploit
img of Critical Alert: n8n Arbitrary Code Execution (CVE-2025-68613)

A critical security vulnerability has been identified in n8n, the popular workflow automation platform. Tracked as CVE-2025-68613, this flaw allows authenticated attackers to achieve **Arbitrary Code Execution ** by injecting malicious JavaScript expressions into workflows.

If you run n8n in your infrastructure, especially if it is accessible via the internet, you must update immediately.

What to Remember

  • Critical Arbitrary Code Execution: CVE-2025-68613 allows authenticated code execution via malicious expressions.
  • Sandbox Escape: Attackers bypass Node.js restrictions to access sensitive modules like child_process.
  • Affected Versions: Versions prior to 1.122.0 are vulnerable.
  • Immediate Action: Upgrade to v1.122.0 or later immediately to fix the flaw.

The Vulnerability

The core issue lies in how n8n evaluates user-supplied expressions (those wrapped in {{ }}). While these expressions are intended to manipulate data, the underlying Node.js execution environment was not properly sandboxed.

Attackers can bypass the restrictions by accessing the global this context within an expression. Specifically, the vulnerability allows access to process.mainModule.require, enabling the loading of sensitive Node.js modules like child_process.

The Impact:

  • Arbitrary Command Execution: Attackers can run system commands as the user running the n8n process (e.g., whoami, ls).
  • Data Exfiltration: Environment variables containing API keys, database credentials, and cloud secrets can be read and stolen.
  • Full Compromise: In many deployments, this leads to a complete takeover of the host server or container.

Affected Versions

This vulnerability affects n8n versions prior to 1.122.0.

  • Vulnerable: < 1.122.0
  • Patched: >= 1.122.0 (Fixed versions also include 1.120.4 and 1.121.1)

NB: Switch to version n8n version 2.x.x is also recommended as it includes additional security improvements and new features.

Proof of Concept

PoC Repository: n8n-CVE-2025-68613-exploit

Steps to Reproduce

  1. Create New Workflow

    • Click Add workflow in the n8n interface

  2. Add Required Nodes

    • Add a Manual Trigger node
    • Add a Set node and connect it to the trigger

  3. Configure the Payload

    • Click on the Set node to open its settings
    • Click Add Value → Select String
    • Name the field result
    • Click the = icon to enable expression mode

  4. Inject the Malicious Payload

    Paste this payload into the expression field:

       {{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })() }}

  5. Execute and Observe

    • Click Execute Workflow
    • The output will display the result of the id command, confirming Code excecution.

How to Remediate

The only complete fix is to upgrade your instance.

Pull the latest Docker image or update your NPM package:

   # Docker
docker pull n8nio/n8n:latest
docker-compose up -d

# NPM
npm install -g n8n@latest

2. Temporary Mitigation

If you cannot upgrade immediately:

  • Isolate Network: Ensure your n8n instance is not accessible from the public internet.
  • Restrict Access: Limit workflow creation/editing permissions to trusted users only. The exploit requires authentication (though in some configurations, low-privilege users can trigger it).
  • Hardening: Run n8n as a non-root user with limited filesystem access.

Conclusion

Workflow automation tools like n8n are high-value targets because they hold the keys to your other services (APIs, databases, CRMs). CVE-2025-68613 is a reminder that internal tools require the same rigorous patching schedule as public-facing applications. Patch now.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What is CVE-2025-68613?

CVE-2025-68613 is a critical Arbitrary Code Execution vulnerability in the n8n workflow automation platform, allowing attackers to run arbitrary code via malicious JavaScript expressions.

Why is this vulnerability dangerous?

It allows attackers to bypass the Node.js sandbox, enabling them to execute system commands, steal sensitive environment variables (API keys), and potentially take over the host server.

Which versions of n8n are affected?

All n8n versions prior to 1.122.0 are vulnerable. Fixed versions include 1.122.0, as well as backported fixes in 1.120.4 and 1.121.1.

How do I fix this vulnerability?

The only complete fix is to upgrade your n8n instance immediately to version 1.122.0 or later using Docker or NPM.

What if I cannot upgrade immediately?

If you cannot upgrade, you must isolate the network to prevent public access, restrict workflow creation permissions to trusted users, and ensure n8n runs as a non-root user.

Resources

Related Posts

No related posts found

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn