Blog & Articles

Critical n8n Vulnerability Exposes Workflow Systems

by Rebecca Sutton
by Rebecca Sutton

TLDR

A critical n8n vulnerability tracked as CVE-2025-68613 has been discovered in the popular workflow automation platform. The flaw carries a CVSS score of 9.9 and allows authenticated attackers to execute remote code on affected systems. Anyone running n8n versions 0.211.0 through 1.120.3 needs to patch immediately. This security issue could let authenticated users with malicious intent take complete control of workflow environments.

What’s the n8n Vulnerability About?

The n8n vulnerability represents one of the most serious security flaws discovered in workflow automation software this year. CVE-2025-68613 affects n8n’s core expression evaluation system. Authenticated users can exploit it to break out of security sandboxes.

Here’s the thing about this particular flaw. Under certain conditions, expressions supplied during workflow configuration get evaluated without sufficient isolation from the underlying runtime. When authenticated attackers craft specific payloads, they bypass security controls entirely.

The impact? Complete system compromise. Attackers gain the same privileges as the n8n process itself. That usually means access to all workflow data, credentials, and connected systems.

How Does CVE-2025-68613 Work?

The exploitation method requires authentication but remains dangerously straightforward. Authenticated users can send specially crafted expressions during workflow configuration to vulnerable n8n instances. These expressions contain malicious code that escapes the intended execution context.

n8n’s expression engine evaluates these inputs in a context that isn’t properly isolated. The code executes with system-level privileges. Once an attacker has valid credentials, exploitation becomes trivial.

Take a typical scenario. Someone with legitimate access creates a workflow with embedded malicious expressions. The server processes it. System compromised.

Security researchers found the flaw affects both self-hosted deployments and certain cloud configurations. Loads of organisations use n8n for business-critical automation. With around 57,000 weekly npm downloads and over 103,000 potentially vulnerable instances detected globally, the attack surface is massive.

Which Versions Are Affected?

The n8n vulnerability impacts a wide range of versions. Multiple version branches need patching urgently.

Specifically:

  • All versions from 0.211.0 through 1.120.3 are vulnerable
  • Patched versions are 1.120.4, 1.121.1, and 1.122.0
  • Cloud instances may be auto-patched depending on hosting configuration

Users need to check their deployment version immediately. The vulnerability exists across different installation methods too. Docker containers, npm installations, and binary deployments all require updates.

Mitigation and Patching Guidance

Patch now. There’s no workaround for this n8n vulnerability. The only proper fix involves upgrading to version 1.120.4, 1.121.1, or 1.122.0.

For organisations that can’t patch immediately, consider these temporary measures. Restrict workflow creation and editing permissions to only the most trusted users. Deploy n8n in a hardened environment with restricted operating system privileges. Block external connections entirely if possible.

But honestly? These are stopgaps. The vulnerability is too severe for half measures. A proper web application penetration testing engagement would identify issues like this before attackers do.

Why This Matters for Security Teams

Workflow automation platforms handle sensitive data. They connect to multiple systems. They often have elevated privileges across your infrastructure.

When one gets compromised, the blast radius is enormous. Attackers can pivot to connected databases. They can steal API credentials. They can modify workflows to inject persistence mechanisms.

William Fieldhouse, Director of Aardwolf Security Ltd, notes: “The n8n vulnerability highlights the risks in automation platforms that process untrusted input from authenticated users. Many organisations deploy these tools without considering the security implications of expression evaluation. A single flaw can expose your entire workflow infrastructure and all connected systems.”

Security teams should audit all automation platforms in their environment. Don’t just focus on n8n. Similar vulnerabilities might exist in other workflow tools. Regular security assessments from a best penetration testing company can identify these risks proactively.

Detection and Response Recommendations

Check your n8n logs for suspicious activity. Look for unusual workflow executions. Monitor for unexpected system calls or network connections.

Indicators of compromise include:

  • Workflows created or modified with suspicious expressions
  • Execution logs showing JavaScript errors or unexpected code paths
  • Outbound connections to unfamiliar IP addresses
  • Sudden spikes in CPU or memory usage

If you suspect exploitation, isolate the affected system immediately. Conduct a thorough investigation. Assume all stored credentials are compromised. Rotate API keys and passwords for connected services.

Mad rush to patch is understandable. But don’t skip the forensics. Understanding whether attackers exploited the n8n vulnerability in your environment matters for incident response.

Broader Implications for Automation Security

This incident isn’t isolated. Workflow automation platforms are becoming prime targets. They’re powerful. They’re trusted. They’re often overlooked in security programmes.

The proper approach involves treating these systems like any other critical infrastructure. Regular patching. Security assessments. Network segmentation. Principle of least privilege.

Organisations should recognise that authenticated access doesn’t equal trusted input. Expression evaluation engines require careful security consideration. The n8n vulnerability demonstrates how quickly seemingly benign features can become critical security flaws.

Consider engaging specialists for security testing. Comprehensive assessments identify vulnerabilities before they’re exploited. Getting a proper evaluation beats reactive incident response every time.

Protect your automation infrastructure. Contact us for a comprehensive security assessment and get your penetration test quote today.

Discover more from Aardwolf Security

Subscribe to get the latest posts sent to your email.

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

WatchGuard Firewall Exploit: Over 115,000 Still Affected

Cloudflare Down: When Internet Infrastructure Fails

Microsoft Suggests AI Agents Will Become “Independent Employees”

Defense Contractor Manager Pleads Guilty Selling Cyber Exploits to Russia

Ex-CISA Chief Predicts AI Could End Cybersecurity Industry by Fixing Code Quality Crisis

AWS Outage Causes Widespread Internet Disruption: Amazon, Snapchat, and More Affected

Microsoft Azure Suffers Major Global Outage

CVE-2025-57423: Critical SQL Injection in MyClub

CVE-2025-57424: Stored XSS Vulnerability in MyCourts

Kali Linux 2025.3: New Features & 10 Hacking Tools You Need to Try

Discover more from Aardwolf Security

Subscribe now to keep reading and get access to the full archive.

Continue reading