CVE-2025-68613 Scanner (Version Based)
CVE-2025-68613 Scanner - Remote Code Execution (RCE) vulnerability in n8n Workflow Automation
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
9 days 9 hours
Scan only one
URL
Toolbox
n8n is an open-source workflow automation platform widely used by developers, DevOps teams, and enterprises to integrate applications and automate business processes. It is commonly deployed as a self-hosted service or containerized application within internal networks and cloud environments. The platform enables users to design workflows using a graphical interface and configurable nodes. n8n is frequently used to connect APIs, databases, messaging platforms, and internal services. Due to its flexibility, it often handles sensitive credentials and operational logic. As a result, security vulnerabilities in n8n can have a high impact on connected systems.
This vulnerability is a critical Remote Code Execution issue caused by unsafe evaluation of user-supplied expressions. Under certain conditions, authenticated users can inject malicious expressions into workflow configurations. These expressions are executed in an insufficiently isolated runtime context. This allows attackers to escape intended restrictions and access sensitive Node.js internals. The flaw enables execution of arbitrary system commands. Successful exploitation can fully compromise the affected n8n instance.
The vulnerability exists in the workflow expression evaluation mechanism that processes expressions wrapped in double curly braces. By abusing access to the global execution context, an attacker can reach process.mainModule.require. This enables loading of sensitive Node.js modules such as child_process. Through these modules, arbitrary operating system commands can be executed. The issue affects versions where expression sandboxing is incomplete. The scanner identifies vulnerable versions exposed via the n8n web interface.
Exploitation of this vulnerability may allow attackers to execute commands with the privileges of the n8n service account. Sensitive data such as API tokens, environment variables, and database credentials may be exposed. Attackers can modify or create malicious workflows to maintain persistence. In containerized or poorly isolated deployments, this may lead to host-level compromise. Business processes automated by n8n can be disrupted or manipulated. Overall, the vulnerability poses a severe risk to confidentiality, integrity, and availability.
REFERENCES
