Critical Expression Injection Vulnerability in n8n (CVE-2025-68613)
CVE-2025-68613 is a critical security flaw in n8n, a workflow automation tool built on Node.js and JavaScript. Disclosed on December 19, 2025, this vulnerability carries a CVSS score of 9.9, indicating severe risk. Attackers can exploit it to execute arbitrary JavaScript code with the privileges of the n8n process, bypassing authentication controls and compromising system integrity.
Key Points
- Vulnerability Type: Expression Injection (CWE-94: Improper Control of Code Generation)
- CVSS Score: 9.9 (Critical)
- Affected Software: n8n (Node.js-based workflow automation)
- Disclosure Date: December 19, 2025
- Exploitability: Requires authentication, but any authenticated user can trigger the attack
Root Cause Analysis
Inadequate Input Validation
n8n processes user input wrapped in double curly braces {{ }} as JavaScript code without proper sandboxing or input sanitization. This design flaw allows attackers to inject malicious expressions that execute in the context of the n8n process.
Security Boundary Violation: User-controlled expressions should never have access to Node.js’s module system, particularly dangerous modules like
child_process.
Missing Context Isolation
The expression evaluator in n8n lacks proper context isolation, enabling attackers to:
- Escape the intended evaluation sandbox
- Access Node.js core modules (e.g.,
child_process,fs) - Execute system-level commands
Exploitation Mechanics
Attack Vector
- An authenticated user submits a crafted payload via n8n’s expression evaluator.
- The payload escapes the sandbox and executes with n8n process privileges.
- Arbitrary code execution (ACE) occurs, potentially leading to:
- Remote code execution (RCE)
- Data exfiltration
- Privilege escalation
Proof-of-Concept (PoC) Payload
The following payload demonstrates how an attacker could execute system commands (e.g., id to retrieve user information):
{{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })() }}
Note: This exploit is publicly documented at wioui/n8n-CVE-2025-68613-exploit.
Impact and Risks
| Impact Area | Description |
|---|---|
| Confidentiality | Attackers can access sensitive data processed by n8n or stored on the system. |
| Integrity | Malicious code can modify workflows, data, or system configurations. |
| Availability | Exploits may crash the n8n process or disrupt automation workflows. |
| Privilege Escalation | If n8n runs with elevated privileges, attackers can gain full system control. |
Mitigation and Remediation
Immediate Actions
- Upgrade n8n to the latest patched version (if available).
- Restrict access to n8n instances to trusted users only.
- Monitor logs for suspicious expression evaluations (e.g.,
child_processusage).
Long-Term Fixes
- Implement strict sandboxing for expression evaluation (e.g., using VM2 or similar libraries).
- Disable dangerous modules (e.g.,
child_process,fs) in the expression evaluator. - Add input validation to reject or sanitize curly-brace-wrapped expressions.
Learn More
Official Resources
- n8n Security Advisory (check for updates)
- CVE Details for CVE-2025-68613
Technical Deep Dives
Best Practices for Secure Workflow Automation
- Principle of Least Privilege: Run n8n with minimal necessary permissions.
- Network Segmentation: Isolate n8n instances from critical systems.
- Regular Audits: Review workflows and expressions for suspicious patterns.
- Dependency Updates: Keep Node.js and n8n dependencies up to date.