External risk intelligence

n8n Workflow Automation RCE Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-68613

A vulnerability in n8n's workflow automation platform allows authenticated attackers to execute arbitrary code. This could lead to full compromise of the affected instance, including unauthorized access to sensitive data and modification of workflows, posing a significant business risk.

4Halo Surface Signal

Remote Code Execution

N8n

0.211.0 to before 1.120.41.121.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-68613

n8n is a workflow automation platform commonly deployed as a web-based application or service that provides users with a management interface for creating and executing workflows. Because these platforms are often accessed via a web browser and serve as central integration hubs, they are frequently hosted as internet-facing services in enterprise and cloud environments.

Horizon Alert

Summary of the vulnerability and why it matters

n8n, an open-source workflow automation platform, has a vulnerability that could permit unauthorized code execution. This flaw exists when expressions provided by authenticated users are processed in a way that is not fully isolated from the system's runtime environment. An attacker could leverage this to run arbitrary code with the same permissions as the n8n process.

Vulnerable component: Workflow expression evaluation system.
Core weakness: Insufficient isolation of expression evaluation.
Main business impact: Compromise of affected instances, data access, workflow modification.

Attack Path

How an attacker could exploit the issue

An authenticated attacker can leverage a vulnerability in the workflow expression evaluation system to execute arbitrary code. This occurs when expressions provided by a user during workflow configuration are not properly isolated from the underlying runtime. Successful exploitation allows an attacker to gain control of the n8n process, potentially accessing sensitive data, altering workflows, or executing system-level commands.

Exposure condition: Authenticated user configures workflows.
Attacker starting point: Access to n8n instance.
Trigger and result: Malicious expression evaluation leads to code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists within the workflow expression evaluation system of the n8n automation platform. This flaw could allow an authenticated attacker to execute arbitrary code with the same privileges as the n8n process. Such an exploit could lead to a full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

Likely attacker skill level: Low
Required access or conditions: Authenticated user
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability presents a significant risk, potentially allowing an attacker to execute arbitrary code on the affected system, leading to full compromise. This compromise could result in unauthorized access to sensitive data, unauthorized modification of workflows, and the execution of system-level operations, impacting organizational operations and data integrity. The threat requires prompt attention to mitigate potential business risks.

Identify all instances of the affected software.
Restrict workflow creation and editing permissions.
Upgrade to a patched version and monitor system activity.

Frequently asked questions

What is n8n and what is its function in workflow automation?

n8n is an open-source platform designed for workflow automation. It enables users to connect various applications and services to automate repetitive tasks by building custom workflows without needing extensive coding knowledge.

What type of weakness does CVE-2025-68613 represent in n8n's system?

CVE-2025-68613 is categorized under CWE-913, indicating an improper control of dynamically-managed code resources. This means that user-supplied expressions in n8n workflows are not adequately isolated from the system's runtime, creating a pathway for unintended code execution.

How can an attacker exploit the vulnerability in n8n's workflow expression evaluation?

An authenticated attacker can exploit this by providing specific expressions during workflow configuration. These expressions are then evaluated in a context that is not sufficiently isolated from the system's runtime, allowing the attacker to execute arbitrary code with the privileges of the n8n process.

What are the potential consequences of exploiting CVE-2025-68613 in n8n?

Successful exploitation of this vulnerability can lead to a complete compromise of the affected n8n instance. This includes unauthorized access to sensitive data, the ability to modify existing workflows, and the execution of arbitrary system-level operations.

What steps should be taken to address the n8n workflow automation vulnerability?

It is strongly recommended to upgrade n8n to a patched version (1.120.4, 1.121.1, or 1.122.0 or later). If an immediate upgrade is not feasible, temporary mitigations include limiting workflow creation/editing permissions to trusted users and deploying n8n in a hardened environment with restricted privileges and network access.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.