šŸ”“ CVE-2025-68613

Critical Remote Code Execution vulnerability in n8n workflow automation platform allowing authenticated users to execute arbitrary code through expression injection. n8n is commonly deployed as an internet-facing service for workflow automation and API integrations.

ā† Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 ā€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

šŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-12-19

Added to CISA KEV: 2026-03-11 82 DAYS BETWEEN CVE AND KEV

šŸŽÆ Recommendations:

šŸ” Web Intelligence (Kagi Ā· 2026-03-11)

The CVE-2025-68613 vulnerability affects the n8n workflow automation platform and allows an authenticated attacker to execute arbitrary code with the privileges of the n8n process [3][4]. This can lead to a full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations [3][4].

Regarding the specific aspects of the vulnerability exploitation:

  • Internet-facing applications or services: The vulnerability is present in the n8n platform, which can be deployed in various environments, including those accessible via the internet. Exploitation requires authentication to the n8n instance [1][2].
  • Evidence of active exploitation in the wild: While CISA has a catalog of Known Exploited Vulnerabilities (KEV) [6], there is no specific mention in the provided search results that CVE-2025-68613 has been added to this catalog or is actively exploited in the wild. CISA has added other vulnerabilities to its KEV catalog at various points in 2025 and 2026 [7][8].
  • Attack vectors and exploitation methods: The vulnerability is exploited through expression injection in workflow definitions [5]. Attackers can leverage unsafe expression evaluation in workflow configurations to run arbitrary code [1]. The attack vector is described as network-based and requires authentication [2].
  • Targeted attacks: The provided information does not specify whether CVE-2025-68613 has been used in targeted attacks.
  • CISA Known Exploited Vulnerabilities status: As mentioned, there is no direct indication in the provided search results that CVE-2025-68613 is currently listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog.
  • Technical details about internet exploitability: The vulnerability lies in n8n's handling of JavaScript-based "expressions" within workflow steps [1]. An authenticated attacker can abuse this behavior to execute arbitrary code [3][4]. The severity is rated as Critical with a CVSS score of 9.9 [2].
The vulnerability affects n8n versions from v0.211.0 through v1.120.3 [2]. It has been fixed in versions 1.120.4, 1.121.1, and 1.122.0 [3][4].

Sources

  1. CVE-2025-68613 - Critical Remote Code Execution in n8n - cve.news

    This vulnerability, now tracked as CVE-2025-68613, allows an attackerā€”if authenticatedā€”to run arbitrary code directly on n8n servers by exploiting unsafe expression evaluation in workflow configurations.The Vulnerability. Impacted versions: Technical Details. n8n lets users write JavaScript-based "eā€¦

  2. n8n CVE-2025-68613 RCE Exploitation: A Detailed Guide

    CVE-2025-68613 (n8n): Severity, Scope, and Impact. Before diving into exploitation mechanics and mitigation steps, itā€™s important to understand the basic profile of the vulnerability. Here is a brief snapshot: CVE ID: CVE-2025-68613. Severity: Critical (CVSS score of 9.9). Affected Versions: n8n verā€¦

  3. CVE-2025-68613 Impact, Exploitability, and Mitigation Steps | Wiz

    CVE-2025-68613: NixOS vulnerability analysis and mitigation. n8n is an open source workflow automation platform.An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected inā€¦

  4. CVE-2025-68613 Detail - NVD - NIST

    CVE-2025-68613 Detail. Description.An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workā€¦

  5. Critical n8n RCE vulnerability enables full server compromise

    A critical vulnerability (CVE-2025-68613, CVSS 9.9/10.0) was disclosed affecting the n8n workflow automation platform, allowing attackers to execute arbitrary code on the underlying server via expression injection in workflow definitions. Due to the potential for full instance takeover, data exposurā€¦

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

šŸ“„ Download JSON Data | šŸ“” RSS Feed