Technical Advisory: n8n Remote Code Execution via Expression Injection

Disclosed: December 19, 2024

Severity: Critical (CVSS 9.9/10.0)

Package/Component: n8n (versions >= 0.211.0 <1.120.4)

Advisories: GHSA-v98v-ff95-f3cp • CVE-2025-68613

Executive Summary

What Happened:

A critical remote code execution vulnerability was discovered in n8n, a widely-used workflow automation platform. The flaw allows authenticated users to execute arbitrary code on the underlying server through specially crafted workflow expressions.

Why It Matters:

• Supply Chain Risk: With over 103,000 exposed instances globally, this vulnerability poses significant supply chain risk as n8n workflows often integrate with critical business systems and process sensitive data
• Data Sovereignty: Compromised instances can expose all data processed by workflows, including credentials, API keys, customer data, and proprietary business logic
• Operational Continuity: Successful exploitation enables complete instance takeover, allowing attackers to modify workflows, disrupt automation processes, and establish persistent access
• AI/Automation Trust: As organisations increasingly rely on workflow automation for AI agent orchestration and business process automation, this vulnerability undermines trust in the security of automation platforms

High-Level Risks:

• Arbitrary code execution with n8n process privilege
• Credential theft from workflow configurations and environment variables
• Exfiltration of data processed by automated workflows
• Lateral movement to connected systems and APIs

Immediate Actions:

1. Update Immediately: Upgrade to n8n version 1.122.0 or later immediately
2. Rotate Credential: Review and rotate all credentials stored in n8n workflows and environment variables
3. Restrict Permissions: Restrict workflow creation/editing permissions to trusted users only
4. Monitor for IOCs: Audit workflow execution logs for suspicious activity

Overview

n8n contains a critical remote code execution vulnerability in its workflow expression evaluation system (GHSA-v98v-ff95-f3cp • CVE-2025-68613). The vulnerability allows expressions supplied by authenticated users during workflow configuration to be evaluated in contexts lacking sufficient isolation from the underlying Node.js runtime, enabling attackers to escape the intended sandbox and execute arbitrary system commands.

Risk Analysis

This vulnerability is particularly concerning in the context of agentic AI systems due to:

1. Workflow Automation Attack Surface: n8n is commonly used to orchestrate AI agents and automate business processes, providing attackers with a central point to compromise multiple downstream systems and data flows.
2. Credential Repository Access: Workflow automation platforms store credentials for numerous integrated services, making them high-value targets that can enable cascading compromises across the organization’s technology stack.
3. Process Privilege Escalation: The n8n process typically runs with elevated privileges to access various systems, allowing attackers to leverage these permissions for lateral movement and persistent access beyond the initial compromise.

Technical Details

The vulnerability stems from insufficient sandbox isolation in n8n’s expression evaluation mechanism:

1. Expression Injection Vector:
   • User-supplied expressions in workflow configurations are evaluated by the n8n runtime
   • The sandbox implementation fails to properly isolate function expressions from the Node.js global context
   • Attackers can craft expressions that access the global this object
2. Sandbox Escape Mechanism:
   • In Node.js environments, the global this provides access to the process object
   • The process object exposes methods like process.mainModule.require() to load arbitrary modules
   • Attackers can leverage the child_process module to execute system commands with n8n process privileges

Impact

Systems affected by this vulnerability may experience:

• Execution of arbitrary system commands with the privileges of the n8n process
• Unauthorized access to sensitive data processed by workflows including customer data, API responses, and business intelligence
• Theft of credentials stored in workflow configurations, environment variables, and n8n databases
• Modification or deletion of workflows to disrupt business operations or establish persistence
• Lateral movement to systems and APIs integrated with n8n workflows
• Exfiltration of proprietary workflow logic and business process automation rules

Affected Versions

The following versions are known to be affected:

• n8n >= 0.211.0, < 1.120.4

Patched:

• n8n = 1.120.4
• n8n = 1.121.1
• n8n = 1.122.0

Immediate Mitigation Steps

1. Identify Vulnerable Installations
   ‍
   ‍# Check n8n version (Docker)
docker exec <container_name> n8n --version

# Check n8n version (npm/local installation)
n8n --version

# Check package.json for n8n dependency
grep '"n8n"' package.json

# Check all installed n8n packages
npm list n8n

   
   Vulnerable if:
   • Version >= 0.211.0 and < 1.120.4
   If you are running a vulnerable version, upgrade immediately to 1.120.4, 1.121.1, or 1.122.0+.
   ‍
2. ‍‍Update to Patched Version:
   ‍
   ‍# For Docker standalone installations
docker pull n8nio/n8n:1.122.1
docker stop <container_name>
docker run --rm -it \
  --name n8n \
  -p 5678:5678 \
  -v ~/.n8n:/home/node/.n8n \
  n8nio/n8n:1.122.1
‍
# For Docker Compose installations
# Update image version in docker-compose.yml to n8nio/n8n:1.122.1
docker compose pull
docker compose up -d

# For Kubernetes/Podman installations
# Update image version in your deployment manifests to n8nio/n8n:1.122.1
# Then apply the updated configuration (kubectl apply -f / podman-compose up -d)
‍
# For npm global installations
npm install -g n8n@1.122.1

# For npm project dependencies
npm install n8n@1.122.1
npm update n8n
‍
# Verify the upgrade
n8n --version
‍
3. Restrict Workflow permission
   ‍
   
   • Review user roles and permissions in n8n
   • Limit workflow creation and editing to trusted administrators only
   • Implement approval workflows for new or modified workflows in production environments
4. Review for Compromise
   ‍
   
   • Review network connections from n8n instances for unexpected destinations
   • Check for new or modified webhook endpoints that could be used for data exfiltration
   • Examine workflow execution history for failed executions with suspicious error messages
   • Rotate all credentials accessible to n8n workflows as a precautionary measure
5. Implement Monitoring
   ‍
   
   1. Subscribe to security advisories for npm packages
   2. Enable logging for all workflow  invocations
   3. Set up alerts for anomalous behavior patterns

‍

‍

Long-term Recommendations

1. Access Control Hardening:
   • Implement principle of least privilege for workflow creation and editing permissions
   • Enable multi-factor authentication for all n8n user accounts
   • Establish segregation of duties between workflow development and production deployment
2. Runtime Security:
   • Deploy n8n in containerised environments with restricted capabilities (drop CAP_SYS_ADMIN, CAP_NET_ADMIN)
   • Implement network segmentation to limit n8n's access to only required systems
   • Run n8n processes with minimal OS-level privileges using dedicated service accounts
   • Enable comprehensive logging and monitoring for workflow execution and system calls
3. Supply Chain Governance:
   • Establish change management processes for workflow modifications in production
   • Implement code review requirements for complex workflow expressions
   • Maintain inventory of all systems and APIs integrated with n8n
   • Conduct regular security assessments of automation platforms and their configurations

Framework Context

This incident aligns with multiple security frameworks:

OWASP Agentic Security & Integrity (ASI) 2026:

• ASI02:2026 Tool Misuse and Exploitation - n8n’s expression evaluation feature exploited beyond intended data transformation scope to execute arbitrary system commands and compromise host infrastructure
• ASI04:2026 Agentic Supply Chain Vulnerabilities - n8n as foundational workflow automation infrastructure creates cascading risk across dependent business processes, AI agent deployments, and integrated systems
• ASI05:2026 Unexpected Code Execution (RCE) - Expression injection converts user-supplied text into executable JavaScript bypassing AST-based sandboxing, enabling host compromise through Node.js module access

OWASP Agentic AI Threats & Mitigations (AATM) v1.0:

• T2 Tool Misuse - Expression evaluation tool exploited beyond intended automation boundaries to achieve arbitrary command execution
• T11 Unexpected RCE - Sandbox bypass mechanism enables conversion of workflow expressions into system commands with host privileges

OWASP LLM Top 10 (2025):

• LLM01:2025 Prompt Injection - AI-powered workflow generation systems vulnerable to prompt injection can indirectly create malicious workflows containing exploit payloads
• LLM03:2025 Supply Chain - n8n dependency vulnerability creates systemic exposure across automation platforms and AI agent orchestration layers
• LLM06:2025 Excessive Agency - Workflows and autonomous agents with expression evaluation capabilities can execute privileged operations when sandbox bypass is exploited

Common Weakness Enumeration (CWE):

• CWE-913 Improper Control of Dynamically-Managed Code Resources - Insufficient validation and sandboxing of user-supplied expressions enables dynamic code evaluation with access to underlying Node.js runtime, violating containment assumptions and enabling arbitrary command execution

‍

Updates

We will update this analysis as more information becomes available. Please monitor our security channels for the latest updates.

‍