Critical Remote Code Execution vulnerability in n8n workflow automation platform allowing authenticated users to execute arbitrary code through expression injection. n8n is commonly deployed as an internet-facing service for workflow automation and API integrations.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-12-19
Added to CISA KEV: 2026-03-11 82 DAYS BETWEEN CVE AND KEV
This vulnerability, now tracked as CVE-2025-68613, allows an attacker—if authenticated—to run arbitrary code directly on n8n servers by exploiting unsafe expression evaluation in workflow configurations.The Vulnerability. Impacted versions: Technical Details. n8n lets users write JavaScript-based "expressions" to customize workflow steps.
CVE-2025-68613 (n8n): Severity, Scope, and Impact. Before diving into exploitation mechanics and mitigation steps, it’s important to understand the basic profile of the vulnerability. Here is a brief snapshot: CVE ID: CVE-2025-68613. Severity: Critical (CVSS score of 9.9). Affected Versions: n8n versions from v0.211.0 through v1.120.3. Patched Versions: Fixed in v1.120.4, v1.121.1, v1.122.0 and later. Attack Vector: Network-based attack requiring authentication.
CVE-2025-68613: NixOS vulnerability analysis and mitigation. n8n is an open source workflow automation platform.An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0.
CVE-2025-68613 Detail. Description.An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0.
A critical vulnerability (CVE-2025-68613, CVSS 9.9/10.0) was disclosed affecting the n8n workflow automation platform, allowing attackers to execute arbitrary code on the underlying server via expression injection in workflow definitions. Due to the potential for full instance takeover, data exposure, and lateral movement, immediate patching is required.