Sign in Subscribe
Tech

Critical CVE in n8n Workflow Platform Exposes Instances to Arbitrary Code Execution

Explore

2 min read
Critical CVE in n8n Workflow Platform Exposes Instances to Arbitrary Code Execution

A critical security vulnerability has been disclosed in the n8n workflow automation platform that could allow authenticated users to execute arbitrary code under certain conditions.

Tracked as CVE-2025-68613 and assigned a CVSS score of 9.9 out of 10.0, the flaw was reported by security researcher Fatih Çelik. The issue affects n8n package releases with versions greater than or equal to 0.211.0 and below 1.120.4. The maintainers released patches in versions 1.120.4, 1.121.1, and 1.122.0.

The n8n package on npm records about 57,000 weekly downloads. The maintainers described the root cause in technical terms: "Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime."

According to the maintainers, an authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.

Assessments of exposed infrastructure indicate the vulnerability has broad reach. The attack surface management platform Censys reported 103,476 potentially vulnerable instances as of December 22, 2025. A majority of those instances are located in the United States, Germany, France, Brazil, and Singapore.

Because the vulnerability permits code execution with the n8n process privileges, the impact on an individual installation depends on how n8n is deployed and the permissions granted to the process. Instances running with elevated operating system privileges or connected to sensitive systems and data stores may face higher risk of severe impact.

n8n maintainers have issued patches and urged users to update as soon as possible. The affected version range and patched releases are as follows:

  • Affected: versions >= 0.211.0 and < 1.120.4
  • Patched: 1.120.4, 1.121.1, 1.122.0

For organizations and operators that cannot apply updates immediately, the maintainers recommended several mitigation steps to reduce exposure until patches can be deployed.

  • Limit workflow creation and editing permissions to trusted users only.
  • Deploy n8n in a hardened environment with restricted operating system privileges.
  • Restrict network access to the n8n service to trusted hosts and networks.

These mitigations aim to reduce the likelihood that an attacker could supply malicious expressions during workflow configuration or leverage an account with sufficient privileges to trigger code evaluation in the vulnerable execution context.

The disclosure underscores the risks associated with evaluating user-supplied expressions inside automation and workflow engines when isolation between user input and the underlying runtime is incomplete. The n8n team’s patches seek to restore isolation and block unexpected evaluation paths that could expose the runtime.

Operators are advised to inventory n8n deployments in their environments and prioritize upgrades to the patched releases. Given the reported number of potentially vulnerable instances, organizations should treat the issue as high priority for remediation.

Security teams conducting incident response or threat-hunting exercises should consider indicators tied to unexpected workflow changes, unauthorized access to n8n administrative functions, or anomalous processes spawned by the n8n runtime. Such activity could indicate an exploitation attempt or a successful intrusion using the vulnerability described in CVE-2025-68613.

n8n users and administrators looking to mitigate risk should follow the vendor guidance, apply available updates, and harden deployments where immediate patching is not feasible.

Key Topics

N8n Security Vulnerability, Cve-2025-68613, Arbitrary Code Execution, High Cvss 9.9, Affected N8n Versions, Patched Releases 1.120.4, 1.121.1, 1.122.0, Authenticated Expression Evaluation, Workflow Expression Injection, Mitigation And Hardening, Limit Workflow Editing Permissions, Restrict Network Access To N8n, Censys Vulnerable Instances, Incident Response And Threat Hunting