Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies on Wednesday to patch their systems against an actively exploited n8n vulnerability. [...]
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution in n8n
## CVE Details
- **CVE ID:** CVE-2025-68613
- **CVSS Score:** Not explicitly listed in the article, but characterized as a high-impact RCE (Estimated 8.8+ based on description).
- **CWE:** Improper control of dynamically managed code resources.
## Affected Systems
- **Products:** n8n (Open-source workflow automation platform).
- **Versions:** All versions prior to v1.122.0.
- **Configurations:** Systems where authenticated users have permissions to create or edit workflow expressions.
## Vulnerability Description
The flaw exists within n8nās workflow expression evaluation system. It allows an attacker to bypass security controls and execute arbitrary code on the host server. Because the vulnerability involves "improper control of dynamically managed code resources," an attacker can inject malicious logic into workflow expressions that the server then executes with the same privileges as the n8n process.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog).
- **Complexity:** Low/Medium (Requires authentication).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Access to sensitive API keys, database credentials, and secrets).
- **Integrity:** High (Ability to modify workflows and system-level operations).
- **Availability:** High (Potential for full system compromise or service disruption).
## Remediation
### Patches
- **n8n v1.122.0:** This version (released in December) addresses the vulnerability. All users are advised to upgrade immediately.
### Workarounds
- **Permission Hardening:** Limit workflow creation and editing permissions to only "fully trusted" users.
- **Least Privilege:** Restrict the operating system privileges of the n8n process.
- **Network Segmentation:** Restrict outbound and inbound network access for the n8n instance to the minimum required for operation.
## Detection
- **Indicators of Compromise:** Monitor for unusual system-level operations or unauthorized modifications to existing workflows.
- **Detection methods and tools:** Shadowserver reports over 40,000 unpatched instances exposed online. Organizations should audit their external footprint for n8n versions lower than 1.122.0.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/combined/time-series/?tag=cve-2025-68613+
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-68613