n8n CVE-2025-68613: Critical RCE Exploit & Fix
If you rely on n8n for workflow automation, handling everything from API keys to internal data pipes, you need to pause and check your version immediately. A critical vulnerability, n8n CVE-2025-68613, has revealed that n8n’s expression engine can be tricked into executing arbitrary system commands, effectively handing over the keys to the server.
Here is everything you need to know about the flaw, how attackers exploit it, and how to secure it.
What is the Vulnerability?
CVE-2025-68613 (CVSS 9.9/10) is a Remote Code Execution (RCE) vulnerability caused by Expression Injection.
n8n allows users to use JavaScript-based expressions (everything inside {{ }}) to manipulate data between nodes. Ideally, this JavaScript should run in a “sandbox” a restricted environment that prevents it from touching the underlying operating system.
The vulnerability exists because this sandbox was insufficiently isolated in versions prior to 1.120.4. An authenticated user (or an attacker who has gained access to the dashboard) can inject specific Node.js commands that “escape” the sandbox, allowing them to import the system’s core child_process module.
Never miss an article and subscribe, and don’t forget to subscribe to my YouTube channel, Control Alt Delete Tech Bits
This site and my YouTube channel are supported by Tech-Source.
Tech-Source is a UK-based technology supplier that works closely with IT teams across education, public sector, and commercial environments. They provide hardware, licensing, and infrastructure solutions, with a strong focus on practical advice rather than upselling.
Their support helps keep this site running and allows me to continue publishing in-depth, admin-focused content and walkthroughs without paywalls.
You can find out more about what they do at https://tech-source.co.uk/
How the Exploit Works
The exploit does not require complex tools, just a browser and access to the n8n workflow editor.
The Entry Point
The attacker creates a new workflow or edits an existing one. They add a node that supports expressions, such as the “Edit Fields” (or “Set”) node.
The Payload
Instead of entering simple text, the attacker switches the field to Expression Mode and injects a JavaScript payload designed to call system commands.
The classic proof-of-concept payload looks like this:
{{ (function(){ return this.process.mainModule.require(‘child_process’).execSync(‘ls -la’).toString() })() }}
The Execution
When the workflow runs (even just clicking “Execute Step”), the n8n server:
- Evaluates the JavaScript.
- Bypasses the sandbox restrictions.
- Loads the
child_processmodule. - Executes
ls -la(list files) on the underlying Linux server.
The payload used is a Sandbox Escape.
n8n tries to run user code in a “safe box” (sandbox) where you can only do basic math or string manipulation. You cannot normally access the underlying server.
However, the code this.process.mainModule... is a specific chain of commands that “climbs out” of that box.
| Code Segment | What it actually does |
{{ ... }} | The Trigger: Tells n8n “Don’t treat this as text; treat this as code.” |
(function(){ ... })() | The Wrapper: This defines a function and immediately runs it (an IIFE). It keeps the code tidy and ensures it executes right away. |
return this | The Context: In JavaScript, this refers to the current object. In a poorly secured sandbox, this can sometimes see “parents” or global objects it shouldn’t see. |
.process | The Leak: The process object contains information about the current Node.js process running the n8n application. Accessing this is the “Game Over” moment. |
.mainModule | The Root: This grabs the root module that started the application. |
.require('child_process') | The Weapon: Normally, you can’t use require in the sandbox. But by climbing up to mainModule, you found a version of require that is allowed to load system libraries. child_process is the library that runs Linux terminal commands. |
.execSync('ls -la') | The Attack: This function executes a shell command (like ls -la) and waits for it to finish. |
.toString() | The Output: Converts the command’s result (which is raw binary data) into readable text so you can see it in the output panel. |
From there, an attacker can read sensitive files (like we did with cat flag.txt), dump environment variables containing API keys, or establish a reverse shell to take full control of the machine.
The “blast radius” of this vulnerability is massive because n8n is often the central nervous system of a company’s automation. A compromised instance gives an attacker:
- Full Server Control: Ability to run any Linux command as the
nodeuser. - Secret Access: Access to all connected credentials (AWS keys, database passwords, OAuth tokens) stored in the n8n database.
- Internal Pivoting: The ability to attack other internal services that the n8n server can reach.
How to Fix It
Patch Immediately
The n8n team has released patched versions. You must upgrade to one of the following versions (or later):
- 1.120.4
- 1.121.1
- 1.122.0
Temporary Mitigations
If you cannot patch immediately, you must restrict the attack surface:
- Restrict Access: Ensure the n8n dashboard is not exposed to the public internet. Use a VPN or authenticated tunnel.
- Limit Permissions: Only allow trusted administrators to create or edit workflows. This is an authenticated vulnerability, meaning the attacker needs a login first.
- Harden the Container: Run n8n with the least privilege possible (non-root user) and restrict its network access to only necessary endpoints.
The CVE-2025-68613, the very features that make n8n powerful, its flexibility and ability to execute code, are also its greatest liabilities if left unchecked.
The fact that a simple JavaScript expression can escalate into full Remote Code Execution highlights a critical lesson for all of us in IT and Security: Internal tools are not safe by default. Just because a dashboard is behind a login screen does not mean it cannot be weaponised.
If you are running n8n in your environment, treat this as a “drop everything” alert. Patch your instances, audit your workflows, and ensure your internal automation tools are just as hardened as your public-facing web servers.
Have a Micorosoft 365 tenant, check out this article Zero Trust Assessment Guide for Microsoft 365 Security