Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
CVE-2025-68613 is a critical remote code execution vulnerability in the n8n workflow automation platform caused by insufficient sandbox isolation in its expression evaluation engine. The n8n vulnerability was first seen on December 19, 2025, and affects a widely adopted package with approximately 57,000 weekly downloads, amplifying the operational risk of CVE-2025-68613 across enterprise, cloud, and CI/CD environments. Authenticated attackers with workflow editing privileges can exploit the n8n vulnerability by injecting malicious expressions that escape the execution context and run arbitrary operating system commands with n8n process privileges, leading to full instance compromise, data exposure, and workflow manipulation. The CVE-2025-68613 vulnerability originates in n8n’s workflow expression evaluation engine where crafted inputs can escape intended execution boundaries due to inadequate sandbox isolation and interact directly with system-level operations. This n8n security weakness constitutes a critical remote code execution vulnerability caused by improper control over dynamically managed code resources, as the platform fails to adequately restrict access to variables, objects, classes, functions, and executable instructions during expression evaluation. An attacker with workflow editing privileges can exploit CVE-2025-68613 by injecting malicious expressions into workflow configurations that break out of the evaluation context and execute arbitrary operating system commands. Successful exploitation of the n8n vulnerability can lead to complete compromise of affected instances, including unauthorized access to sensitive data, manipulation of workflows, execution of system-level operations, and potential lateral movement within the environment. The CVE-2025-68613 vulnerability impacts n8n deployments across a broad range of scenarios, including self-hosted enterprise installations, internet-facing cloud deployments, multi-tenant automation environments, embedded automation use cases, and CI/CD pipelines that rely on n8n for orchestration. Exposed n8n instances are most heavily concentrated in the United States, followed by Germany, France, Brazil, and Singapore. Organizations should immediately upgrade n8n to version 1.120.4, 1.121.1, 1.122.0 or later to patch CVE-2025-68613.
A critical security flaw has been disclosed in the n8n workflow automation platform that enables remote code execution under specific conditions. Tracked as CVE-2025-68613, the n8n vulnerability affects a widely adopted package with approximately 57,000 weekly downloads, significantly amplifying its operational risk across enterprises that have deployed n8n for workflow automation.
The CVE-2025-68613 issue originates in n8n’s workflow expression evaluation engine. When authenticated users create or modify workflows in n8n, they can embed expressions that are executed by the runtime. Due to inadequate sandbox isolation in the n8n expression evaluation engine, these expressions are not sufficiently contained. As a result, crafted inputs can escape their intended execution boundaries and interact directly with system-level operations on the host running n8n.
This weakness in n8n constitutes a critical remote code execution vulnerability caused by improper control over dynamically managed code resources. The n8n platform fails to adequately restrict access to variables, objects, classes, functions, and executable instructions during expression evaluation. An attacker with workflow editing privileges can exploit the CVE-2025-68613 gap by injecting malicious expressions into a workflow configuration.
Once processed by the n8n runtime, the malicious expressions break out of the evaluation context and execute arbitrary operating system commands with the same privileges as the n8n process. Successful exploitation of CVE-2025-68613 can lead to complete compromise of the affected n8n instance, including unauthorized access to sensitive data stored in workflows, manipulation of existing workflows to alter business logic, execution of system-level operations that could impact the entire host, and potential lateral movement within the environment by pivoting from the compromised n8n server.
The CVE-2025-68613 vulnerability impacts n8n deployments across a broad range of scenarios, including self-hosted enterprise installations where organizations run n8n internally for business process automation, internet-facing cloud deployments that expose n8n interfaces to external users, multi-tenant automation environments where multiple teams share n8n infrastructure, embedded automation use cases where n8n is integrated into larger applications, and CI/CD pipelines that rely on n8n for orchestration and deployment automation. Exposed n8n instances vulnerable to CVE-2025-68613 are most heavily concentrated in the United States, followed by Germany, France, Brazil, and Singapore. Given the potential for full instance takeover and widespread operational impact, CVE-2025-68613 represents a high-severity risk that demands immediate remediation through patching n8n to versions 1.120.4, 1.121.1, 1.122.0 or later.
Immediate Upgrade to Patched Version: Upgrade n8n to version 1.120.4, 1.121.1, 1.122.0 or later without delay. This release fixes CVE-2025-68613 by strengthening sandbox isolation and enforcing stricter controls on expression evaluation, effectively closing the remote code execution vector in n8n. Prioritize patching first in cloud-hosted, multi-tenant, CI/CD, and internet-accessible n8n instances where attackers can most easily reach the vulnerability and where impact is highest.
Restrict Workflow Permissions: Limit workflow creation and editing rights to a minimal set of fully trusted users in n8n deployments. Since exploitation of CVE-2025-68613 requires authenticated access with workflow modification privileges, reducing this attack surface directly lowers risk of n8n compromise. Implement role-based access controls to ensure only authorized personnel can create or modify n8n workflows.
Harden the Execution Environment: Run n8n with the least possible operating system privileges and apply strict filesystem, process, and network restrictions. This constrains attacker capabilities even if expression escape through CVE-2025-68613 is attempted on unpatched n8n instances. Deploy n8n within containerized environments with appropriate security contexts and resource limitations to contain potential compromise.
Audit and Monitor Workflows: Review existing n8n workflows for suspicious expressions and monitor execution behavior for anomalies. Post-exploitation detection is essential for environments that have delayed upgrading n8n to patched versions. Implement logging and alerting for unusual expression patterns, unexpected system commands, or abnormal resource usage that could indicate CVE-2025-68613 exploitation attempts.
Execution:
Privilege Escalation:
Defense Evasion:
Persistence:
Collection:
Impact:
Get through updates and upcoming events, and more directly in your inbox