Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

on

 

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

A critical security vulnerability has rocked the workflow automation ecosystem, revealing a major flaw in n8n, an increasingly popular open-source automation platform. Tracked as CVE-2025-68613 and assigned a CVSS score of 9.9 out of 10, the vulnerability allows an authenticated attacker to execute arbitrary code on affected systems. With potentially hundreds of thousands of instances exposed globally, this issue underscores the growing security risks inherent in modern automation tools and self-hosted platforms. NVD+1

This article explains what the flaw is, why it is so dangerous, how widespread the exposure is, and what organizations deploying n8n should do to mitigate the risk.

Understanding n8n and Its Role in Automation

n8n is an open-source workflow automation platform that enables organizations to connect applications, APIs, and services into orchestrated automation pipelines. Much like tools such as Zapier or Microsoft Power Automate, n8n allows users to design workflows where data flows between systems automatically. It’s widely used for:

  • Business process automation

  • Data synchronization across services

  • Event-triggered integrations

  • Custom API orchestration

Its extensibility and self-hosting options have driven strong adoption among developers and enterprises who prioritize control over their data and infrastructure.

However, the very flexibility that makes n8n attractive can also introduce security risks — especially when core components evaluate user-supplied expressions or execute code as part of workflow logic.

What Is the CVE-2025-68613 Vulnerability?

The heart of this security issue lies in n8n’s workflow expression evaluation system. Under normal operation, n8n allows users to supply dynamic expressions that define how data should be transformed or routed between nodes. This evaluation happens within the runtime environment when workflows are created or modified.

The flaw built into affected versions is that these user-supplied expressions are evaluated in a context that is not properly isolated from the underlying runtime. In simple terms, this means that when an authenticated user creates or edits a workflow, they could craft an expression that escapes the safe evaluation sandbox and executes arbitrary code at the operating system level. NVD+1

Because the arbitrary code runs with the same privileges as the n8n process itself, a successful exploit could allow attackers to:

  • Access sensitive data stored within the n8n instance

  • Modify or delete existing workflows

  • Spawn shell commands or scripts on the host machine

  • Pivot to other systems connected to the instance

  • Establish persistent unauthorized access

These capabilities make this flaw exceptionally dangerous if left unpatched.

How Severe Is the Risk?

Security professionals assign risk using the Common Vulnerability Scoring System (CVSS), where values near 10.0 indicate maximum impact and ease of exploitation. CVE-2025-68613 has been assigned a base score of 9.9, meaning it is both critical and likely exploitable under the right conditions. NVD

Two key factors make this particularly severe:

  1. Arbitrary Code Execution (RCE): Unlike vulnerabilities that allow only information disclosure or denial of service, RCE lets attackers take control of the target system.

  2. Widespread Deployment: Scanning data indicates over 100,000 n8n instances might be exposed and vulnerable, including on corporate networks and internet-accessible servers. The Hacker News

Although exploitation requires authenticated access — meaning an attacker must already have valid credentials — this is not an insurmountable barrier. Credentials can be obtained through phishing, brute force, reused passwords, credential stuffing, or via other vulnerabilities within an organization’s environment. Once inside, exploiting this flaw becomes a path to full system takeover.

Who Is Affected?

The vulnerability affects all n8n releases starting from version 0.211.0 up to but not including 1.120.4, 1.121.1, and 1.122.0 — the versions where the patch was applied. NVD Given the popularity of n8n, instances deployed on self-hosted servers, virtual machines, containers, and cloud platforms could all be vulnerable if they have not been updated.

Unlike SaaS offerings where the provider typically applies patches centrally, self-hosted n8n instances rely on the organization or administrator to implement updates. This means many systems could remain exposed for extended periods, particularly if the upgrade process is slow or infrequent.

The exposure is global, with known vulnerable instances located in countries including:

  • United States

  • Germany

  • France

  • Brazil

  • Singapore
    …among others, highlighting the international scope of the problem. The Hacker News

How Can This Vulnerability Be Exploited?

Exploitation does not require zero-day or external attack chains. Instead, an authenticated user with permissions to create or edit workflows could inject specially crafted expressions into a workflow definition. These expressions would then be evaluated in the vulnerable context, leading directly to arbitrary code execution.

This behavior is particularly dangerous in environments where:

  • Workflow editing permissions are broadly granted

  • Authentication controls are weak or inadequate

  • Instances are directly reachable over the internet

  • Single sign-on or identity federation systems have gaps

In many automation setups, typical users might have more privileges than strictly necessary, expanding the pool of potential exploitation vectors.

Patches and Mitigation

Following the disclosure of the vulnerability, the n8n development team released patched versions to address this critical flaw. The specific releases that include the fix are:

  • 1.120.4

  • 1.121.1

  • 1.122.0 NVD

Organizations using n8n should upgrade immediately to one of these or later versions to eliminate the risk of exploitation.

For environments that cannot patch instantly, temporary mitigation strategies include:

  • Restricting workflow creation/editing permissions to a small number of trusted administrators

  • Running n8n instances with minimal operating system privileges

  • Limiting network access to n8n hosts behind firewalls or private networks

  • Monitoring logs for unusual workflow expression submissions

These measures can reduce exposure but do not completely remove the risk, emphasizing the importance of upgrading as soon as feasible. Censys

Broader Implications for Workflow Automation Security

The discovery of CVE-2025-68613 highlights a broader trend in cybersecurity: as tools for automation, integration, and orchestration become more embedded in enterprise workflows, they also become high-value targets for attackers. Platforms like n8n often have access to credentials, APIs, internal systems, and sensitive data — making them attractive attack vectors.

Organizations must consider security holistically when deploying automation platforms:

  • Implement least-privilege access controls for both human users and automated jobs.

  • Use strong authentication mechanisms (such as multi-factor authentication) on all instances.

  • Apply patch management discipline, especially for open-source and self-hosted tools.

  • Segment networks to limit exposure of critical services.

  • Monitor for unusual behavior at both the application and infrastructure levels.

Automation tools accelerate business processes, but without robust security practices, they can inadvertently accelerate the impact of security incidents as well.

Conclusion

The critical n8n flaw tracked as CVE-2025-68613 stands as a stark reminder that even widely-used automation platforms can harbor vulnerabilities with devastating consequences. With a near-maximum severity score (CVSS 9.9) and the potential to affect tens or hundreds of thousands of deployments worldwide, this issue demands immediate attention from security teams and system administrators alike. NVD

Updating to the patched n8n releases should be the first priority. Beyond that, organizations that rely on automation must take a comprehensive approach to security — one that anticipates not just threats from outside the network, but threats that arise from within trusted systems and tools.

In a landscape where automation is integral to digital operations, protecting these platforms is not optional — it is essential to maintaining trust, integrity, and resilience in modern infrastructures.


Comments

Post a Comment