CVE-2025-68613
Remote Code Execution (RCE) vulnerability in n8n (npm)

Remote Code Execution (RCE) Proof of concept Fixable By Resolved Security

What is CVE-2025-68613 About?

n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Authenticated users can exploit this to execute arbitrary code with n8n process privileges, potentially compromising the instance. This vulnerability is highly impactful and relatively easy for an authenticated attacker to exploit.

Affected Software

  • n8n
    • >=1.121.0, <1.121.1
    • >=0.211.0, <1.120.4

Technical Details

The vulnerability stems from n8n's workflow expression evaluation system, where authenticated users can configure expressions that are not sufficiently isolated from the underlying runtime during evaluation. Specifically, under certain conditions, expressions supplied by an authenticated user can break out of their intended sandbox and execute arbitrary system commands or code with the privileges of the n8n process. This bypasses security controls within the expression engine, allowing for full system compromise, including access to sensitive data, modification of application logic, and execution of OS-level commands.

What is the Impact of CVE-2025-68613?

Successful exploitation may allow attackers to execute arbitrary code on the host system, leading to full system compromise, unauthorized data access, modification or deletion of workflows, and execution of system-level operations.

What is the Exploitability of CVE-2025-68613?

Exploitation of this RCE vulnerability is of moderate to high complexity, requiring an authenticated user with permissions to configure or modify workflows. No specific elevated privileges beyond workflow configuration are explicitly stated as required. The attack vector is remote, as the crafted expressions are submitted through the n8n application interface. The primary prerequisite is authentication to n8n. The likelihood of exploitation is significantly increased if untrusted users have workflow creation or editing capabilities. Constraints include the need for a specific execution context where expressions are not properly sandboxed. The availability of proof-of-concept exploits suggests that exploitation details are known and can be weaponized.

What are the Known Public Exploits?

PoC Author Link Commentary
rxerium Link Detection for CVE-2025-68613
Ashwesker Link CVE-2025-68613
TheStingR Link Public PoC + Scanner and research for CVE-2025-68613: Critical RCE in n8n Workflow Automation via Expression Injection (CVSS 10.0). Includes detection tools, full exploit, and remediation guidance.

What are the Available Fixes for CVE-2025-68613?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

The patch fixes CVE-2025-68613 by introducing a sanitizer that rewrites function expressions and callbacks so their this context is always a harmless empty object rather than the Node.js global, preventing expressions from accessing process.env and other sensitive process properties. Additionally, it blocks access to more unsafe object keys (such as mainModule, binding, _load). This prevents attackers from abusing template expressions to access or manipulate process internals, closing the sandbox escape described in CVE-2025-68613.

Available Upgrade Options

  • n8n
    • >=0.211.0, <1.120.4 → Upgrade to 1.120.4
  • n8n
    • >=1.121.0, <1.121.1 → Upgrade to 1.121.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-68613?

Similar Vulnerabilities: CVE-2023-38646 , CVE-2021-44790 , CVE-2023-49070 , CVE-2022-24329 , CVE-2023-46731

All Rights reserved 2025
Privacy Policy