CRITICAL: n8n Workflow RCE

CVE-2025-68613 | CVSS: 9.9 | Remote Code Execution

Research by: C V Sai Kamesh

n8n is a powerful open-source workflow automation tool used by DevOps and security teams to connect apps and automate tasks visually. However, a recently discovered critical vulnerability, CVE-2025-68613, turns this automation capability into a weapon, allowing authenticated attackers to execute arbitrary system commands on the hosting server.

The Vulnerability

CVE ID: CVE-2025-68613
Score: 9.9 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerable Versions: 19.0, 19.1.0, 19.1.1, and 19.2.0.

Why does this happen?

The core issue lies in weak isolation of user expressions. n8n allows users to write expressions inside workflows to manipulate data. In the vulnerable versions, the code handling these expressions trusts user input too much and lacks a strong sandbox.

This allows a malicious expression to "escape" the safe execution area and access the node's main module process, enabling the execution of system-level commands like id, whoami, or worse—reverse shells.

Proof of Concept (PoC)

Below is a step-by-step walkthrough of exploiting this vulnerability to achieve RCE.

1. Initial Access

1Log in to the vulnerable n8n instance (Cloud or On-Prem).

n8n Login Screen

2. Create a Workflow

2Once logged in, click on "Start from scratch" to begin a new workflow.

Start from scratch

3. Add a Trigger

3Click the Plus (+) sign to add a node. Search for "Manual Trigger" and select it.

Search for Manual Trigger

4Once the node is added, click on it to open the configuration panel.

Manual Trigger Node

4. Injecting the Payload

5In the node settings, click "Edit Fields". This allows us to define custom input fields.

Edit Fields Option

6Click "Add Field" and choose "String".

Add String Field

7The Exploit: In the value field, paste the following JavaScript sandbox escape payload:

{{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })() }}
Payload Injection

5. Execution

8Click "Execute Step". The expression is evaluated by the server without proper sanitization.

RCE Success Output

Result: As seen in the output above, the system command id was executed successfully, returning the server's user details (uid=1000, etc.).

Mitigation & Defense

If you are running n8n, immediate action is required.

Sigma Detection Rule

Use the following Sigma rule to detect attempts to exploit this vulnerability in your environment:

title: N8N Workflow RCE Attempt
status: experimental
description: Detects attempts to inject JavaScript expressions into n8n workflow payloads that execute OS commands via "this.process.mainModule.require('child_process').execSync(...)""
author: TryHackMe Content Engineering Team
date: 2025-12-23
logsource:
    category: webserver
    product: generic
detection:
    selection:
        cs-method: POST
        cs-uri-stem|endswith: /rest/workflows
    keywords:
        - "this.process.mainModule.require('child_process')"
        - ".execSync("
        - "={{ (function(){"
        - "toString() })()"
    condition: selection and all of keywords
level: high