Critical n8n RCE Vulnerability (CVE-2025-68613) Endangers Workflow Automation

Introduction

Security researchers have disclosed a critical Remote Code Execution (RCE) vulnerability in the n8n workflow automation platform, tracked as CVE-2025-68613 with a CVSS score of 9.9 (Critical). n8n is an open-source automation tool used widely to orchestrate data flows, integrations, and business logic across enterprise and cloud environments. Under specific conditions, the flaw enables an authenticated user to execute arbitrary code with the privileges of the n8n process, potentially leading to full instance compromise, unauthorized data access, workflow manipulation, and system-level operations.

What happened

The vulnerability stems from how n8n evaluates expressions during workflow configuration. Versions starting at 0.211.0 up to (but not including) 1.120.4, 1.121.1, and 1.122.0 contain the flaw, which arises because user-supplied expressions are evaluated in a context insufficiently isolated from the runtime environment. Authenticated attackers with workflow creation or editing privileges can craft expressions that break out of sandbox boundaries to execute arbitrary code on the host.

Security advisories indicate that over 100,000 internet-exposed n8n instances may still be running affected versions, posing widespread risk to automation infrastructure globally.

Technical details

CVE-2025-68613 is rooted in a weakness in n8n’s workflow expression evaluation system, categorized under CWE-913: Improper Control of Dynamically-Managed Code Resources. When n8n parses and evaluates expressions within workflow nodes, insufficient isolation allows those expressions to access broader runtime objects, enabling them to execute arbitrary operating system commands with the permissions of the n8n process itself.

This class of vulnerability illustrates the risks inherent in dynamic expression engines within automation platforms where user input and code evaluation intersect.

Who is affected and why it matters

The vulnerability impacts self-hosted and on-premise n8n deployments that allow authenticated users to create or edit workflows. Because n8n integrations often connect to internal systems, APIs, and sensitive data stores, successful exploitation not only undermines the automation platform itself but may also serve as a beachhead into broader network resources.

Authenticated users are those with workflow permissions - not strictly administrators - meaning that even automation engineers, integration operators, or service accounts could unwittingly provide an entry point if credentials are compromised or misconfigured.

Mitigations and patch guidance

The n8n development team has released patches that resolve this critical flaw. Vulnerable versions should be upgraded immediately to one of the patched releases: 1.120.4, 1.121.1, or 1.122.0.

Temporary mitigations for environments where immediate upgrading is not possible include:

• Restricting workflow creation and editing permissions to fully trusted users only.
• Running n8n in a hardened execution environment with reduced operating system privileges.
• Restricting network access to the n8n host to trusted internal services only.

These workarounds do not eliminate exploitation risk but may reduce attack surface until patches are applied.

Threat landscape and context

Workflow automation platforms like n8n are increasingly adopted across DevOps, IT operations, and business automation teams because they bridge no-code interfaces with integration logic. However, their flexibility can also introduce security challenges when dynamic expression evaluation intersects with underlying runtime privileges.

In the broader context of automation security, a critical RCE flaw in a platform with deep internal access and integration capabilities represents a significant risk - especially when thousands of instances may be exposed to the internet with default configurations.

Conclusion

CVE-2025-68613 underscores the importance of proactive vulnerability management in modern automation platforms. n8n users and administrators should audit versions immediately, prioritize updating to the latest secure releases, and review access policies to ensure only trusted users can modify workflows.

Failing to address this flaw leaves environments susceptible to full compromise with potentially far-reaching operational and data consequences.

Patch immediately and integrate version monitoring into your vulnerability management processes.