What happens when a workflow automation platform used by thousands of organizations fails to properly isolate expression evaluation contexts, allowing authenticated attackers to inject arbitrary code into automation logic that executes with full process privileges? n8n discovered this critical flaw the hard way. CVE-2025-68613 (CVSS 9.9) is a maximum-severity expression injection vulnerability affecting the n8n workflow automation platform, impacting all versions from 0.211.0 through 1.120.3. The flaw allows authenticated users to inject malicious expressions during workflow configuration that execute in an insufficiently isolated context, resulting in arbitrary code execution with the privileges of the n8n process. As of December 2025, Censys identified 103,476 potentially vulnerable instances globally, with significant concentrations in the United States, Germany, France, Brazil, and Singapore. The vulnerability permits complete compromise of affected instances, including unauthorized access to sensitive workflow data, modification of automation logic, exfiltration of credentials stored in workflow variables, and execution of system-level operations. Unlike many code execution flaws that require external attack vectors, CVE-2025-68613 exploits the inherent trust mechanisms of workflow automation itself—the ability to define expressions is core functionality, yet insufficient isolation transforms this feature into a direct pathway for code execution. Patched versions (1.120.4, 1.121.1, 1.122.0) are available, but organizations with hundreds of unpatched instances remain at immediate operational risk.
Vulnerability Root Cause (Insufficient Expression Context Isolation): CVE-2025-68613 stems from a fundamental architectural issue in how n8n evaluates expressions supplied by authenticated users during workflow configuration. When users define workflows—particularly in conditional logic, data transformations, and dynamic field mapping—they can write expressions (JavaScript-like syntax) that reference workflow variables, environment data, and runtime objects. The vulnerability exists because these expressions are evaluated in an execution context that is not sufficiently isolated from the underlying Node.js runtime. This means attackers can leverage JavaScript language features, prototype chain pollution, or direct access to Node.js built-in modules (fs, child_process, net, etc.) to execute arbitrary code during expression evaluation. The n8n maintainers confirmed in their advisory that expressions undergo insufficient sandboxing before execution, allowing authenticated users to escape expression evaluation boundaries and access dangerous runtime primitives.
Affected Versions & Patch Status: The vulnerability affects all n8n versions from 0.211.0 (released March 2021) through 1.120.3. This represents a four-year window of vulnerable deployments. The vulnerability was patched in 1.120.4 (December 2025), 1.121.1, and 1.122.0, with security researchers recommending immediate upgrades. Censys reported 103,476 exposed instances as of December 22, 2025, with geographic distribution showing 40,000+ in the US, 15,000+ in Germany, 12,000+ in France, 8,000+ in Brazil, and 6,000+ in Singapore. The remaining ~22,000 instances are distributed across Asia-Pacific, UK, Canada, Australia, and other regions.
Attack Vector & Authentication Requirement: CVE-2025-68613 requires authenticated access to the n8n platform. An attacker must either possess valid credentials (through credential theft, social engineering, or insider threat) or compromise a legitimate user account. Once authenticated, the attacker can navigate to the workflow editor and define malicious expressions in any expression field—conditional branches, variable assignments, API response parsing, or notification message templates. The expression injection does not require network-level access; it operates entirely within the workflow configuration interface. Self-hosted n8n instances face identical risk as cloud-based deployments if their authentication is compromised.
Attack Example & Code Execution Mechanics: A typical exploit might use expressions like: {{require('child_process').execSync('id')}} or {{require('fs').readFileSync('/etc/passwd', 'utf8')}} to execute arbitrary commands or read sensitive files. More sophisticated payloads could involve establishing reverse shells (require('net').createConnection() ...), downloading and executing malicious scripts, or deploying webshells for persistent access. The execution occurs synchronously within the workflow execution context, meaning the attacker receives output directly and can chain commands or file operations within a single workflow execution.
CVE-2025-68613 represents a critical risk to enterprise automation infrastructure because n8n workflows often integrate with sensitive systems—databases, APIs, cloud services, identity providers, and financial platforms. An attacker who achieves code execution within an n8n instance can leverage that foothold to access all integrated systems’ credentials stored in n8n’s workflow variables and secrets management. For example, if a workflow is configured to authenticate against a Salesforce API using stored credentials, an attacker executing code within n8n can extract those credentials and use them to directly access Salesforce. This lateral movement risk is particularly severe for organizations using n8n as a central integration hub.
Data Exfiltration & Workflow Modification Risk: Once an attacker gains code execution, they can modify workflows to silently exfiltrate data, insert malicious logic into automation chains, or disable security controls. Consider a workflow that processes financial transactions: an attacker could insert logic to siphon a percentage of every transaction to attacker-controlled accounts, and the fraud could persist undetected for months if audit logging is inadequate. Workflow modifications executed through code injection are often difficult to attribute to legitimate changes because the workflow editor logs may show only the attacker’s authenticated session, indistinguishable from a legitimate user action.
Supply Chain & Multi-Tenant Risk: n8n is widely used by managed service providers (MSPs) and integration platforms as a service (iPaaS) vendors who run shared instances serving multiple customers. A vulnerability in a shared n8n instance could allow one tenant’s malicious employee or an external attacker who compromised one tenant’s credentials to gain access to workflows and data of other tenants on the same instance. This multi-tenant risk is amplified by the fact that many organizations do not patch immediately, creating a window where attackers can systematically compromise unpatched instances.
Operational Impact & Recovery Complexity: Organizations running n8n for critical workflows (data syncing, order processing, notification systems) face severe operational disruption if instances are compromised. Recovery requires not only patching but also forensic investigation of workflow modifications, credential rotation for all systems integrated with n8n, and potential reconstruction of data affected by malicious workflow logic. In regulated industries (financial services, healthcare, government), such incidents trigger compliance reporting obligations and potential fines. The 103,476 exposed instances represent potentially thousands of organizations needing emergency remediation.
Expression Injection & Runtime Context Escape: The attack begins with an authenticated user (legitimate or compromised) accessing the n8n workflow editor. The attacker navigates to any node that accepts expressions—typically conditional branches (IF nodes), function nodes, or response mapping nodes. Instead of entering a legitimate expression referencing workflow variables (e.g., {{$json.email}}), the attacker injects JavaScript code that accesses Node.js built-in modules. Because n8n’s expression evaluator does not properly sandbox the execution context, JavaScript’s require() function is accessible, allowing direct access to dangerous modules. For example: {{require('child_process').execSync('whoami')}} would execute the whoami shell command and return the process user. More complex payloads could establish a reverse shell or download and execute a malicious script.
Credential Extraction & Lateral Movement: Once code execution is achieved, the attacker can enumerate n8n’s internal data structures to locate stored credentials. n8n maintains a credentials vault where API keys, database passwords, OAuth tokens, and other secrets are stored (typically encrypted at rest but accessible at runtime). The attacker can write expressions or scripts to iterate through n8n’s credential database, decrypt or export the credentials, and extract them for use against external systems. For instance, if n8n has a Salesforce OAuth token stored, the attacker can use that token to directly query or modify Salesforce data, escalating from n8n system access to enterprise application access.
Workflow Modification & Persistence: Rather than immediately disrupting the system, a sophisticated attacker might modify existing workflows to insert malicious logic. For example, a workflow that syncs data to a CRM could be modified to also send a copy of that data to an attacker-controlled server. Because the modification occurs through the authenticated API (the attacker has a valid session), the workflow audit log appears legitimate. The malicious logic executes on every workflow trigger, creating persistent unauthorized access to data streams. This is particularly dangerous if the workflow processes sensitive customer data or financial information.
Detection & Incident Response Procedures:
- Immediate Threat Hunting: Search n8n workflow definitions (via the database or API) for expressions containing suspicious keywords:
require,execSync,eval,child_process,fs,net, or backticks (command substitution). Check the workflow execution history for failed expressions (errors that might indicate failed exploitation attempts) and successful executions of unusual expressions. Monitor n8n process logs for process spawning (child process creation) that is not part of normal workflow operations. - Credential Audit: Immediately rotate all credentials stored in n8n (API keys, OAuth tokens, database passwords). Assume any credential stored in a vulnerable n8n instance may have been exfiltrated. For each integrated system (Salesforce, databases, cloud services), review access logs for unauthorized activity since the last time the instance was patched or the instance was deployed. Enable additional logging on downstream systems if not already in place.
- Workflow Integrity Verification: Export all workflows and compare against known-good backups (if available). Look for expressions added recently that reference external domains or command execution. Use git diff (if workflows are version-controlled) to identify recent modifications. For any unusual or unfamiliar expressions, treat as potential compromise.
- Network Segmentation & Access Restriction: Immediately restrict network access to the n8n instance to only required users and systems. Move n8n to a segmented network if possible. Restrict outbound network connections from the n8n process to only known-required destinations using firewall rules. This limits an attacker’s ability to exfiltrate data or establish command-and-control connections.
- Patching & Recovery Strategy: Upgrade to patched versions (1.120.4, 1.121.1, or 1.122.0) in a controlled maintenance window. For organizations unable to patch immediately, limit workflow creation and editing permissions to a small group of trusted administrators. Deploy n8n with minimal operating system privileges (dedicated non-root user, restricted filesystem access) and disable dangerous modules if possible (though this requires n8n reconfiguration).
- External Forensics & Credential Rotation (Extended): If compromise is suspected, engage incident response resources to conduct memory analysis of the n8n process and review system-level logs (process accounting, network connections). Extract and send suspicious files for malware analysis. Perform full credential rotation for all systems downstream of n8n, not just n8n itself. Check cloud API logs for unauthorized API calls originating from the n8n instance’s IP address.
CVE-2025-68613 is part of a broader pattern of expression injection vulnerabilities emerging in automation and integration platforms. Earlier in 2025, similar flaws were discovered in other low-code/no-code platforms where user-supplied expressions or configurations were evaluated without proper sandboxing. The trend reflects the growing adoption of workflow automation tools without corresponding security maturity in their architectural design. Many platform maintainers initially prioritized developer convenience and feature richness over security boundaries, assuming that authentication alone would suffice as a control. CVE-2025-68613 proves that assumption wrong—authenticated users, whether legitimate or compromised, cannot be trusted with unsandboxed code execution capabilities.
Historical Context & Precedent: Expression injection vulnerabilities are not new. Earlier instances include template injection flaws in Jinja2, Freemarker, and other templating engines that allowed code execution through user-supplied input. However, those vulnerabilities typically required unauthenticated access or minimal privilege. CVE-2025-68613 is notable for being a maximum-severity (CVSS 9.9) vulnerability in a widely-deployed integration platform that requires authentication but affects a core, expected feature (expression definition). This suggests that many organizations may not realize the risk—they may have deployed n8n assuming workflow expression writing was a safe, expected user capability.
Convergence with Supply Chain & Identity-Based Threats: The timing of CVE-2025-68613 coincides with industry trends toward identity compromise and supply chain attacks. Attackers increasingly target integration platforms and IT automation tools because a single compromise yields access to multiple downstream systems. An attacker who gains credentials for an n8n user (through phishing, credential stuffing, or a breach of another platform) immediately gains leverage over all systems integrated with that n8n instance. This creates a powerful incentive for attackers to target n8n deployments specifically. The 103,476 exposed instances make n8n an attractive target for systematic credential harvesting or lateral movement campaigns.
Implications for Automation-First Architectures: Organizations increasingly rely on automation platforms like n8n to reduce manual labor, improve consistency, and accelerate business processes. However, this architectural shift creates new security boundaries that many organizations have not adequately defended. A breach in a central automation hub can cascade across the entire business. Unlike traditional monolithic applications where security perimeters are well-understood, automation platforms blur the line between “application logic” and “user configuration,” making it difficult for defenders to know what expressions are “legitimate” versus “malicious.” CVE-2025-68613 highlights the need for organizations to treat automation platform security as a critical architectural concern, not just another SaaS application.
Official Advisories & Technical Documentation:
- The Hacker News: Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution – Comprehensive technical breakdown covering CVE-2025-68613 mechanics, affected versions, attack surface, and mitigation strategies. Includes Censys statistics on exposed instances by geography.
- n8n GitHub Security Advisory GHSA-v98v-ff95-f3cp – Official vendor advisory detailing the vulnerability, affected version ranges (0.211.0 through 1.120.3), patched versions (1.120.4, 1.121.1, 1.122.0), and confirmed root cause (insufficient expression context isolation).
- NVD: CVE-2025-68613 – National Vulnerability Database entry with CVSS 9.9 scoring, vector analysis, and attack complexity assessment (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- Censys: CVE-2025-68613 Advisory & Statistics – Real-time scanning data showing 103,476 potentially vulnerable n8n instances globally as of December 22, 2025, with geographic breakdown: 40,000+ US, 15,000+ Germany, 12,000+ France, 8,000+ Brazil, 6,000+ Singapore, ~22,000 distributed across remaining regions.
- npm: n8n Package Statistics – Official package registry showing ~57,000 weekly downloads, indicating widespread adoption and deployment scale.
Affected Versions & Patch Information:
- Vulnerable Versions: 0.211.0 through 1.120.3 (four-year window of vulnerability)
- Patched Versions: 1.120.4, 1.121.1, 1.122.0 (released December 2025)
- Security Researcher Credit: Fatih Çelik (fatihhcelik.github.io)
- CVSS Score: 9.9 / 10.0 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Network accessible, low attack complexity, requires authentication, no user interaction, scope changed, high impact on confidentiality, integrity, and availability)
Attack Indicators & Exploitation Patterns:
- Suspicious Expression Keywords:
require,execSync,exec,spawn,eval,Function,child_process,fs,net,http, backticks (`) for command substitution - Workflow-Level Indicators: Recent expressions referencing unusual modules; workflow execution errors with stack traces from
child_processmodule; unauthorized workflow modifications; new API connections to unfamiliar external hosts - System-Level Indicators: Unexpected child process spawning from n8n (particularly shell commands); outbound network connections from n8n process to unusual destinations; file access to sensitive configuration files (/etc/passwd, environment variables, .ssh directories)
- Log Anomalies: Failed expression evaluations with syntax errors indicating exploitation attempts; successful expression evaluations with unusual latency or resource consumption; credential vault access logs showing enumeration patterns
Mitigation & Remediation Resources:
- Immediate Actions: Upgrade to patched versions (1.120.4+) during a controlled maintenance window. Rotate all credentials stored in n8n vault. Review workflow execution logs for suspicious expressions. Restrict workflow editor access to trusted administrators only. Implement network-level monitoring for n8n process outbound connections.
- Temporary Mitigations (if patching is delayed): Limit workflow creation/editing permissions to a small trusted group. Deploy n8n in a restricted environment with minimal OS privileges (dedicated non-root user). Disable dangerous Node.js modules if possible (requires custom n8n configuration). Implement egress firewall rules to restrict n8n outbound connections to only required external APIs.
- Long-Term Hardening: Implement workflow change management with peer review before deployment. Enable comprehensive audit logging for all workflow modifications. Use infrastructure-as-code (Terraform, Helm) to maintain workflows in version control, allowing detection of unauthorized modifications. Monitor n8n security advisories regularly and maintain an automated patching schedule. Consider air-gapping n8n instances handling highly sensitive integrations.
- Testing & Validation: After patching, test all critical workflows to ensure functionality is maintained. Use integration testing to verify all downstream system connections remain operational. Check n8n logs for any errors or warnings post-update. Validate that expression evaluation behaves as expected and no legitimate workflows are broken by the patch.
Related Threat Intelligence & Context:
- Expression injection vulnerabilities in low-code/no-code platforms represent an emerging threat vector with potential for widespread impact across multiple organizations. Other integration and automation platforms should be audited for similar insufficient sandboxing issues.
- n8n is commonly deployed as a central integration hub connecting multiple enterprise applications, creating a high-value target for attackers seeking lateral movement and credential harvesting. Organizations should prioritize n8n security and treat it with equivalent rigor to identity and access management systems.
- The 103,476 exposed instances suggest this vulnerability may be actively exploited or scanned for by attackers seeking vulnerable deployments. Organizations should assume that unpatched instances may have been discovered by threat actors and prioritize emergency patching.