Security researchers have confirmed the release of proof-of-concept (PoC) exploit code for CVE-2025-68613, a critical remote code execution flaw affecting n8n workflow automation platform.
The vulnerability carries a maximum CVSS score of 10.0 and impacts versions from v0.211.0 through v1.120.3.
n8n is widely deployed in enterprise environments where it automates critical workflows and integrates with internal systems, APIs, and cloud services.
This vulnerability allows authenticated users to execute arbitrary commands on the underlying server, potentially compromising the entire infrastructure.
The flaw stems from improper JavaScript expression evaluation. n8n processes user input wrapped in double curly braces {{ }} as JavaScript code on the server side. However, the execution environment lacks adequate sandboxing.
According to SecureLayer7, attackers can exploit this to access the Node.js process object and load system modules like child_process, enabling direct command execution on the host system.
Exploitation Details
An attacker requires only a valid n8n account even with low-level privileges and the ability to create or edit workflows.
The exploit can be deployed through multiple attack vectors:
- Workflow Editor: Injecting malicious expressions directly in node fields
- REST API: Submitting crafted payloads via workflow creation endpoints
- Webhook Triggers: Embedding code in webhook-based workflows
- Supply Chain: Hiding malicious code in imported workflow templates
Once triggered, successful exploitation grants complete system access, enabling attackers to steal environment variables containing API keys and database credentials, read sensitive files, install persistent backdoors, and pivot deeper into connected systems.
Organizations running affected n8n versions should immediately prioritize patching. Fixed versions include v1.120.4, v1.121.1, v1.122.0, and later releases.
Before patching, implement detection measures by monitoring for suspicious expressions containing process.mainModule.require, child_process, or execSync in workflow logs.
Network teams should restrict external access to n8n instances, limit user permissions to trusted accounts only, and audit recent workflow creation and modification logs for suspicious activity.
Security teams must review environment variable configurations and rotate any exposed credentials across connected databases and cloud platforms.
The release of public PoC code significantly accelerates the threat timeline. Given the critical nature of this vulnerability and its presence in automated workflow environments, exploitation is expected to occur rapidly in the wild.
Security and DevOps teams should treat this as a high-priority incident requiring immediate remediation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.