## https://sploitus.com/exploit?id=89FCAC08-D29B-5041-8ADF-0645A117D7DF
# n8n CVE-2025-68613 Internet Scanner
A Tkinter-based GUI tool to discover publicly exposed **n8n** instances via Shodan and test them for exposure to **CVE‑2025‑68613** across a wide version range.
The scanner:
- Queries Shodan with multiple fingerprints (title, HTML markers, favicons, cloud orgs) to find likely n8n hosts on common ports (e.g. `5678`).
- Connects to candidates and probes key endpoints: `/`, `/login`, `/workflow`, `/rest/healthz`.
- Attempts to extract the running n8n version from HTML / JS using several heuristics.
- Classifies each host as **VULNERABLE**, **SAFE**, **UNKNOWN**, or **FAILED** based on version and connectivity.
- Stores all results in a local SQLite database and offers CSV export.
> ⚠️ **Legal notice**
> This tool is intended for security research, education, and testing of systems that you **own or are explicitly authorised to test**.
> Scanning random hosts on the internet may violate laws or terms of service in your jurisdiction.
> Use responsibly and at your own risk.
---
## Features
- **GUI frontend** built with Tkinter (no CLI arguments needed).
- **Shodan integration** with many tailored queries (title, favicon hashes, HTML signatures, cloud provider filters, etc.).
- **Concurrent scanning** using `ThreadPoolExecutor` and worker queues for high throughput.
- **Endpoint dashboard**:
- Shows discovered instances (IP, country, version, vulnerable YES/NO).
- Detailed results table: time, IP:Port, version, status, endpoints, country.
- **Robust state tracking**: discovered / tested / vulnerable / failed counters with live updates.
- **SQLite backend** (`n8n_results.db`) storing hosts and per-scan test results.
- **CSV export** of all scan results for offline analysis.
---
## Installation
### Prerequisites
- Python **3.9+** (tested with 3.10).[
- A Shodan account and a valid browser cookie for `www.shodan.io` (polito cookie).[file:23]
- Network connectivity that allows outbound HTTP to potential n8n hosts (typically port 5678).
### Clone the repository and run the interface
- https://github.com/manyaigdtuw/CVE-2025-68613_Scanner.git
- python n8n_Scanner_cve68613.py
### Scan controls (left panel)
- **Mode**
- `Shodan`: search internet-facing hosts using Shodan queries.
- `Scan IP range`: reserved for future work (currently uses Shodan-style producer logic; keep `Shodan` selected)
- **Threads**: number of parallel consumer workers (default: 20).
- **Shodan Cookie**: paste your `polito` cookie value from browser dev tools (Domain: `www.shodan.io`).
Then press **Start Scan**.
To stop scanning, press **Stop**; the tool will finish processing in-flight tasks and update the stats.
### Understanding statuses
Per host, the “Status” column can be:
- **VULNERABLE** – version falls within the CVE‑2025‑68613 range (≥ `0.211.0` and < `1.122.0`).
- **SAFE** – version successfully parsed but is outside the vulnerable window.
- **UNKNOWN** – host responded but version could not be reliably extracted from HTML/JS.
- **FAILED** – scanner could not reach the host at all (TCP refused / timed out / other error).
The “Endpoints” summary shows a compact view of the first few endpoints and their HTTP status codes, e.g.:
`/:200; /login:200; /workflow:200`.
### Database and export
- Results are stored in `n8n_results.db` with two tables
- `n8n_hosts`: one row per IP, with last-seen attributes.
- `n8n_test_results`: per-test results including status and endpoints JSON.[file:23]
- Click **Export Results** to write all results to a CSV file of your choice, including timestamps, IP, port, country, version, status, vulnerable flag, and raw endpoints JSON.[file:23]
---
## Configuration details
Key constants at the top of the script (class `N8nScanner.__init__`) control behaviour:
- `BASE_URL`, `FACET_URL`: Shodan search endpoints.
- `DEFAULT_PORT`: default n8n port (`5678`).
- `CONNECTION_TIMEOUT`: HTTP timeout in seconds (default `15`).
- `MAX_WORKERS`: number of consumer threads.
- `VULN_MIN_VERSION`, `VULN_MAX_VERSION`: version bounds for CVE‑2025‑68613.
- `max_debug_html`: how many HTML snapshots to save for debugging
Shodan queries include favicon hashes, HTML signatures, cloud provider filters, and n8n-specific strings to improve hit rate.
---