A critical flaw in the open-source workflow automation platform n8n risks remote code execution (RCE) with elevated permission by an authenticated attacker, n8n disclosed last week. More than 100,000 servers, mostly located in the United States, are potentially affected by the n8n vulnerability tracked as CVE-2025-68613, which has a CVSS score of 9.9, Censys reported in an advisory Monday.CVE-2025-68613 allows any authenticated user with the ability to create or edit workflows to execute arbitrary code with the privileges of the n8n process due to insufficient isolation of the execution context of user-supplied expressions evaluated during workflows.This ability to execute code via the n8n process could lead to a full server compromise, including the theft of sensitive data, modification of other workflows and execution of system-level operations, n8n said in its advisory.Further details about the vulnerability were revealed by penetration testing company SecureLayer7 on Sunday, which provided proof-of-concept exploitation instructions and code for the vulnerability.SecureLayer7’s evaluation notes that JavaScript expressions included in workflows and wrapped with {{ }} are evaluated server-side via Node.js upon workflow execution and can access the global “this” context, which resolves to the Node.js execution environment. As a result, a low-privileged attacker can gain access to privileged objects such as “process” and load Node.js modules such as “child_process” to execute arbitrary system commands.SecureLayer7 further noted that this vulnerability can be exploited through the workflow editor in the n8n web user interface or through n8n REST API endpoints for workflow creation, updating and execution. PoCs for several potential payloads, from basic proof of vulnerability tests to sensitive file reading, HTTP data exfiltration and reverse shell execution are presented in the SecureLayer7 blog.The patch for CVE-2025-68613 isolates the expression execution context by restricting access to the “this” object during evaluation of JavaScript expressions. The vulnerability affects n8n versions including and after 0.211.0 and before the patched versions 1.120.4, 1.121.1 and 1.122.0.Users are recommended to patch as soon as possible to prevent exploitation of CVE-2025-68613. Where patching is not immediately possible, temporary mitigations include limiting of workflow creation and editing only to fully trusted users and deployment of n8n in hardened environments with limited operating system privileges and network access, n8n said. “These workarounds do not fully eliminate the risk and should only be used as short-term measures,” the n8n maintainers noted.
Vulnerability Management, Patch/Configuration Management, DevOps, Threat Management, Application security
CVSS 9.9 RCE vulnerability in n8n potentially impacts more than 100K servers
(Credit: Luciano Luppa – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds