CVE-2025-68613: Critical RCE Vulnerability Disclosed in n8n Workflow Automation

A critical security vulnerability has been identified in the n8n workflow automation platform, a widely used tool for building and managing automated workflows. The issue, tracked as CVE-2025-68613 and rated with a CVSS score of 9.9, could allow authenticated attackers to execute arbitrary code on affected systems under specific conditions.

This blog explains what the vulnerability is, which versions are impacted, how exploitation could affect deployed environments, and what steps administrators should take next.

What Is CVE-2025-68613?

CVE-2025-68613 is a Remote Code Execution (RCE) vulnerability related to how n8n evaluates expressions during workflow configuration. In certain scenarios, user-supplied expressions may be evaluated in a context that is not sufficiently isolated from the underlying runtime.

An attacker with valid authentication could abuse this behavior to execute arbitrary code with the same privileges as the n8n process. In practical terms, this could result in full compromise of the affected instance.

With a CVSS score of 9.9, the vulnerability represents a high-impact scenario where limited access can quickly escalate into complete system control.

Tracking and responding to high-severity vulnerabilities like CVE-2025-68613 requires more than patch awareness. SOCRadar Vulnerability Intelligence helps security teams monitor newly disclosed CVEs, understand their technical impact, and assess how rapidly risk is evolving based on exploit availability and threat actor activity.

Which n8n Versions Are Affected?

The vulnerability affects n8n versions starting from 0.211.0 up to, but not including, 1.120.4.

The issue has been fixed in the following releases:

• 1.120.4
• 1.121.1
• 1.122.0

Any deployment running an affected version should be considered at risk.

How Could This Vulnerability Impact n8n Deployments?

n8n is commonly used to automate business logic, data flows, and integrations with internal systems, cloud services, and third-party APIs. If CVE-2025-68613 is exploited, attackers could gain control over the n8n instance, access sensitive data handled by workflows, modify or inject malicious logic, and execute system-level operations on the host.

Because workflow automation platforms often store credentials and access tokens, a compromise at this layer can quickly turn into a broader security incident. According to the researchers, a large number of n8n instances are reachable over the internet. As of late December 2025, more than 100,000 potentially vulnerable instances were observed online, with significant concentrations in the United States, Germany, France, Brazil, and Singapore.

This level of exposure increases the likelihood of scanning and opportunistic exploitation, especially after public disclosure.

PoC Availability and Risk Implications

Public Proof-of-Concept (PoC) material for CVE-2025-68613 has been released. The availability of PoC code materially increases the risk associated with this vulnerability.

While exploitation requires authentication, published PoCs lower the technical barrier and make abuse easier in environments with open registration, weak access controls, or shared workflow usage. Organizations should assume increased attacker interest following disclosure.

SOCRadar’s Attack Surface Management (ASM) capabilities help organizations identify whether n8n instances are exposed to the internet and correlate vulnerable software versions with real, reachable assets. This allows teams to move from theoretical risk to confirmed exposure, prioritizing remediation efforts where they matter most.

By combining vulnerability context with continuous external asset discovery, security teams gain earlier awareness and faster response when critical issues like CVE-2025-68613 emerge.

Is There Evidence of Active Exploitation?

At the time of writing, there are no confirmed reports of widespread exploitation. However, the combination of critical severity, broad internet exposure, and publicly available PoC code places this vulnerability in a high-risk category that warrants immediate action.

What Should Administrators Do Next?

Administrators should upgrade to a patched version as soon as possible. n8n version 1.122.0 and later introduce additional safeguards that restrict expression evaluation and prevent access to sensitive runtime objects.

If immediate upgrading is not possible, temporary mitigations include limiting workflow creation and editing permissions to fully trusted users, disabling public registration where applicable, and deploying n8n in a hardened environment with restricted operating system privileges and network access. These steps reduce risk but do not fully eliminate it.

Applying the official updates remains the only complete remediation for CVE-2025-68613.