1. Home
  2. Vulnerabilities
  3. CVE-2025-68613
Known Exploited Vulnerability
9.9
CRITICAL CVSS 3.1
CVE-2025-68613
n8n Improper Control of Dynamically-Managed Code Resources Vulnerability - [Actively Exploited]
Overview
Description

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Details
INFO

Published Date :

Dec. 19, 2025, 11:15 p.m.

Last Modified :

March 11, 2026, 7:40 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp ; https://nvd.nist.gov/vuln/detail/CVE-2025-68613

Impact
Affected Products

The following products are affected by CVE-2025-68613 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 N8n n8n
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 HIGH [email protected]
Solution
Upgrade n8n to a patched version to fix RCE vulnerability in workflow expression evaluation.
  • Upgrade n8n to version 1.120.4 or later.
  • Limit workflow creation and editing permissions.
  • Deploy n8n in a hardened environment.
Public PoC/Exploit Available at Github

CVE-2025-68613 has a 66 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-68613.

URL Resource
https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 Patch
https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 Patch
https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 Patch
https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp Patch Vendor Advisory
https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-68613 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-68613 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
shaileshdev4/drygate

None

TypeScript JavaScript CSS Dockerfile

Updated: 2 days, 16 hours ago
0 stars 0 fork 0 watcher
Born at : March 25, 2026, 9:59 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
aovozniuk1/pentkit

None

Dockerfile Makefile Procfile Python Jinja Shell

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : March 13, 2026, 1:54 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Nathan9745354/OpenClaw-Free-Security-Threat-Intel

This is using OpenClaw Automated weekly IT security reports, summaries, and PDFs published to GitHub Pages.

HTML

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : March 13, 2026, 3:03 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
namoussa2/cve-exploitation-arsenal

Professional CVE exploitation toolkit - Next.js, W3TC, n8n RCE

Python PHP

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : March 13, 2026, 1:41 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
thecosmicexplorer/tools

Daily CVE scanners and offensive security tools for bug bounty & red team — one new tool pushed every day

bug-bounty cve penetration-testing python red-team security

Python

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : March 9, 2026, 7:51 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
h3raklez/CVE-2025-68613

CVE-2025-68613 — n8n RCE via Expression Injection

Shell

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : March 3, 2026, 2:38 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
bamov970/CVE-2026-21858

None

Dockerfile Python Shell

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 24, 2026, 5:04 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
tsubasa1123/diable-v3

Lab DIABLE v3.0 - Plateforme pédagogique de cybersécurité (DSI ISFA 2025-2026)

Dockerfile PHP CSS JavaScript HTML Python Java Shell

Updated: 5 days, 14 hours ago
1 stars 6 fork 6 watcher
Born at : Feb. 19, 2026, 7:03 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
Taram561/Links

None

Updated: 1 month, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 1:22 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Alhakim88/CVE-2026-21858

Hack

Dockerfile Python Shell Perl

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Jan. 30, 2026, 10:38 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
Sown0205/n8n-broker

None

Shell Python

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : Jan. 27, 2026, 4:29 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
LKSTA/LKSDIKMEN-Cybersecurity-2026

Sebuah Chall Dump Official LKS DIKMEN Bidang Lomba Cybersecurity Tingkat Kabupaten Tulungagung

Python Shell Dockerfile C HTML Go Go Template

Updated: 2 months ago
2 stars 1 fork 1 watcher
Born at : Jan. 25, 2026, 7:24 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
Victorhugofariasvieir66/relatorio-n8n.md

Relatório TryHackMe — n8n CVE-2025-68613 (CVSS 9.9)

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Jan. 22, 2026, 10:36 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Libertocrat/seg

Secure Execution Gateway (SEG) provides a safe alternative to OS command execution by exposing controlled, whitelisted file operations via an authenticated HTTP API. Built for Docker-based micro-services and workflows with strong sandboxing and auditability.

api-security devsecops docker fastapi openapi python sandbox security workflow-engine

Python Dockerfile Shell Makefile

Updated: 2 weeks ago
1 stars 1 fork 1 watcher
Born at : Jan. 22, 2026, 12:47 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
sec-dojo-com/CVE-2026-21858

None

Python

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Jan. 20, 2026, 11:50 a.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-68613 vulnerability anywhere in the article.

  • The Register
CISA warns max-severity n8n bug is being exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n. C ... Read more

Published Date: Mar 12, 2026 (2 weeks, 5 days ago)
  • security.nl
Kritiek n8n-beveiligingslek actief misbruikt bij aanvallen waarschuwt VS

Aanvallers maken actief misbruik van een kritieke kwetsbaarheid in n8n, zo waarschuwt het cyberagentschap van de Amerikaanse overheid. Het beveiligingslek, waarvan de impact op een schaal van 1 tot en ... Read more

Published Date: Mar 12, 2026 (2 weeks, 5 days ago)
  • The Hacker News
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of ac ... Read more

Published Date: Mar 12, 2026 (2 weeks, 5 days ago)
  • Daily CyberSecurity
The Mutable Tag Trap: Critical 9.4 CVSS Attack on Xygeni GitHub Action Exposes CI/CD Pipelines

In a sophisticated supply chain manipulation, the xygeni-action GitHub Action was recently targeted by a critical “tag poisoning” attack. On March 3, 2026, an attacker utilized compromised credentials ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • Daily CyberSecurity
CISA Mandates Urgent Patch for Maximum 10.0 CVSS n8n RCE Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a new, high-stakes entry to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability, tracked as CVE-2025-6 ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • Daily CyberSecurity
Cyber Escalation in the Middle East: Disruption, Deception, and the Quest for Data

A new report from Rapid7 Labs highlights a significant spike in retaliatory cyber activity targeting both regional and Western infrastructure, characterized by a mix of state-directed espionage and a ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • Daily CyberSecurity
Root Access via CLI: Cisco Patches Critical IOS XR Privilege Escalation Flaws

Cisco has issued a high-priority security advisory regarding multiple vulnerabilities in its IOS XR Software that could allow local attackers to bypass security restrictions and seize full administrat ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • Daily CyberSecurity
Chrome 146 Arrives with 29 Security Fixes: Critical WebML Flaw Discovered

Google has officially promoted Chrome 146 to the stable channel for Windows, Mac, and Linux, kicking off a global rollout that will reach users over the coming days and weeks. While the update brings ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • Daily CyberSecurity
Code Red: GitLab’s Latest Security Update Patches High-Severity XSS and API DoS Vulnerabilities

GitLab has released critical security updates—versions 18.9.2, 18.8.6, and 18.7.6—for both Community Edition (CE) and Enterprise Edition (EE). This emergency patch addresses several high-severity flaw ... Read more

Published Date: Mar 12, 2026 (2 weeks, 6 days ago)
  • CybersecurityNews
Zerobot Malware Exploiting Tenda Command Injection Vulnerabilities to Deploy Malware

A Mirai-based botnet campaign known as Zerobot has resurfaced with renewed force, this time targeting critical flaws in Tenda AC1206 routers and the n8n workflow automation platform. The campaign, now ... Read more

Published Date: Mar 03, 2026 (4 weeks ago)
  • Daily CyberSecurity
Beyond the Router: How the Zerobotv9 Botnet is Hijacking Enterprise Automation

According to a recent investigation by the Akamai Security Intelligence and Response Team (SIRT), a notorious malware family known as Zerobot has re-emerged with new tricks. This latest iteration, dub ... Read more

Published Date: Mar 03, 2026 (4 weeks, 1 day ago)
  • Daily CyberSecurity
Automation at Risk: Triple 9.4 Severity RCE Flaws Threaten n8n Workflow Servers

n8n is a popular workflow automation platform that gives technical teams the flexibility of code with the speed of no-code. With 400+ integrations, native AI capabilities, and a fair-code license, n8n ... Read more

Published Date: Feb 26, 2026 (1 month ago)
  • Daily CyberSecurity
Popular n8n Platform Hit by Triple Threat of RCE Flaws

The n8n workflow automation platform, a favorite among technical teams for its “fair-code” flexibility and AI capabilities, has been struck by a cluster of critical security vulnerabilities. Security ... Read more

Published Date: Feb 06, 2026 (1 month, 3 weeks ago)
  • CybersecurityNews
Critical n8n Vulnerability Enables System Command Execution Via Weaponized Workflows

n8n Vulnerability A critical remote code execution (RCE) vulnerability in n8n, the popular workflow automation platform. This flaw allows authenticated attackers to execute arbitrary system commands o ... Read more

Published Date: Feb 05, 2026 (1 month, 3 weeks ago)
  • The Register
n8n security woes roll on as new critical flaws bypass December fix

Multiple newly disclosed bugs in the popular workflow automation tool n8n could allow attackers to hijack servers, steal credentials, and quietly disrupt AI-driven business processes. The vulnerabilit ... Read more

Published Date: Feb 05, 2026 (1 month, 3 weeks ago)
  • The Cyber Express
Critical n8n Vulnerability CVE-2026-25049 Enables Remote Command Execution

A newly disclosed critical vulnerability,  tracked as CVE-2026-25049, in the workflow automation platform n8n, allows authenticated users to execute arbitrary system commands on the underlying server ... Read more

Published Date: Feb 05, 2026 (1 month, 3 weeks ago)
  • The Hacker News
Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

A new, critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in the execution of arbitrary system commands. The flaw, ... Read more

Published Date: Feb 05, 2026 (1 month, 3 weeks ago)
  • Daily CyberSecurity
Sandbox Shattered: Critical n8n Flaw (CVSS 9.9) Allows Remote Code Execution

Security researcher Natan Nehorai of the JFrog Security Research Team has uncovered a critical Remote Code Execution (RCE) vulnerability in n8n, the popular fair-code workflow automation platform used ... Read more

Published Date: Jan 28, 2026 (2 months ago)
  • The Cyber Express
New EU Vulnerability Platform GCVE Goes Live, Reducing Reliance on Global Systems

Europe’s long-running conversation about digital autonomy quietly crossed a milestone with the launch of a new public vulnerability platform. The EU Vulnerability Database, created under the GCVE init ... Read more

Published Date: Jan 21, 2026 (2 months, 1 week ago)
  • TheCyberThrone
Critical Ni8mare RCE and Expression Injection Vulnerability

January 10, 2026n8n, the popular open-source workflow automation tool, faces multiple critical vulnerabilities disclosed in late 2025 and early 2026. These flaws enable unauthenticated remote code exe ... Read more

Published Date: Jan 10, 2026 (2 months, 3 weeks ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-68613 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Mar. 11, 2026

    Action Type Old Value New Value
    Added CWE CWE-913
    Changed CPE Configuration OR *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 0.211.0 up to (excluding) 1.120.4 *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 1.121.0 up to (excluding) 1.121.1 OR *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 0.211.0 up to (excluding) 1.120.4 *cpe:2.3:a:n8n:n8n:1.121.0:*:*:*:*:node.js:*:*
    Added Reference Type CISA-ADP: https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform Types: Exploit, Third Party Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Mar. 11, 2026

    Action Type Old Value New Value
    Added Reference https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613
  • Initial Analysis by [email protected]

    Jan. 02, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 0.211.0 up to (excluding) 1.120.4 *cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:* versions from (including) 1.121.0 up to (excluding) 1.121.1
    Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 Types: Patch
    Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 Types: Patch
    Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 Types: Patch
    Added Reference Type GitHub, Inc.: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp Types: Patch, Vendor Advisory
  • New CVE Received by [email protected]

    Dec. 19, 2025

    Action Type Old Value New Value
    Added Description n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-913
    Added Reference https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79
    Added Reference https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000
    Added Reference https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316
    Added Reference https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.9
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact