CVE-2025-68613
n8n Vulnerable to Remote Code Execution via Expression Injection
Description
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
INFO
Published Date :
Dec. 19, 2025, 11:15 p.m.
Last Modified :
Jan. 2, 2026, 6:28 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Upgrade n8n to version 1.120.4 or later.
- Limit workflow creation and editing permissions.
- Deploy n8n in a hardened environment.
Public PoC/Exploit Available at Github
CVE-2025-68613 has a 42 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-68613.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-68613 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-68613
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain (CVSS 10.0)
exploit n8n poc rce security vulnerability cve-2026-21858 ni8mare
Dockerfile Python Shell
Lab for CVE-2025-68613 n8n RCE
Expression injection payloads for n8n CVE-2025-68613 RCE
n8n RCE (CVE-2025-68613) - Proof of Concept
Python
None
HTML
n8n CVE-2025-68613
n8n n8n-automation n8n-workflow python3
Python
None
JavaScript HTML CSS TypeScript
A testing framework to identify and demonstrate deserialization vulnerabilities in LangChain Core (<0.3.81). Educational use only
Python
This laboratory provides a controlled environment to analyze and reproduce CVE-2025-68613 in a vulnerable n8n instance.
Python Dockerfile
CVE-2025-68613 (n8n) Critical RCE analysis + defensive recommendations (patch validation, detection ideas, and hardening tips)
The minor methodology for room: https://tryhackme.com/room/n8ncve202568613
None
None
Dockerfile
None
Technical study of the CVE-2025-68613 vulnerability in n8n, covering affected versions, laboratory exploration scenario, offensive and defensive analysis, and mitigation strategies.
JavaScript
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-68613 vulnerability anywhere in the article.
-
Daily CyberSecurity
Public Exploit Released: Critical n8n Flaw CVE-2026-21858 Exposes 100k Servers
The “central nervous system” of automation for thousands of companies has a critical weakness. A new report from Cyera reveals a devastating vulnerability in n8n, the popular workflow automation platf ... Read more
-
The Cyber Express
Critical n8n Vulnerability Allows Arbitrary Command Execution (CVE-2025-68668)
A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a ... Read more
-
The Hacker News
New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
Jan 06, 2026Ravie LakshmananVulnerability / DevOps A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated at ... Read more
-
The Hacker News
⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More
Dec 29, 2026Ravie LakshmananHacking News / Cybersecurity Last week's cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust ev ... Read more
-
CybersecurityNews
Critical n8n Automation Platform Vulnerability Enables RCE Attacks – 103,000+ Instances Exposed
A critical remote code execution vulnerability has been discovered in n8n, the open-source workflow automation platform, exposing over 103,000 potentially vulnerable instances worldwide. Tracked as CV ... Read more
-
The Hacker News
Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances
Dec 23, 2025Ravie LakshmananVulnerability / Workflow Automation A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could re ... Read more
-
Daily CyberSecurity
n8n Under Fire: Critical CVSS 10.0 RCE Vulnerability Grants Total Server Access
The popular workflow automation tool n8n has issued a critical security alert after discovering a vulnerability that could allow attackers to seize complete control of the platform. Tracked as CVE-202 ... Read more
The following table lists the changes that have been made to the
CVE-2025-68613 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jan. 02, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 0.211.0 up to (excluding) 1.120.4 *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 1.121.0 up to (excluding) 1.121.1 Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp Types: Patch, Vendor Advisory -
New CVE Received by [email protected]
Dec. 19, 2025
Action Type Old Value New Value Added Description n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-913 Added Reference https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 Added Reference https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 Added Reference https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 Added Reference https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp