CVE-2025-68613

Dec. 23, 2025, 2:51 p.m.

9.9
Critical

Description

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Product(s) Impacted

Product Versions

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-913
Improper Control of Dynamically-Managed Code Resources
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79
https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000
https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316
https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp

Tags

[email protected]
2025-12-19
CVE-2025-68613

CVSS Score

9.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 19, 2025, 11:15 p.m.
Last Modified: Dec. 23, 2025, 2:51 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

Linked Attack Reports

MuddyWater Exposed: Inside an Iranian APT operation

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfilt…
exfiltration
cyber espionage
reconnaissance
CVE-2022-42475
vulnerability exploitation
command and control
CVE-2024-55591
CVE-2025-5777
CVE-2025-54068
iranian apt
CVE-2025-9316
CVE-2025-55182
CVE-2025-34291
CVE-2025-68613
CVE-2025-52691
tsundere botnet
CVE-2026-1281
CVE-2026-1731
geopolitical conflict
2026-03-05
arenac2
CVE-2024-23113
keyc2
mois
persianc2
Published: March 5, 2026
Linked vulnerabilities : CVE-2024-5559 (CVSS 6.1), CVE-2024-55591 (CVSS 9.8), CVE-2022-42475, CVE-2025-5777 (CVSS 9.3), CVE-2025-54068 (CVSS 9.2), CVE-2025-9316 (CVSS 6.9), CVE-2025-55182 (CVSS 10.0), CVE-2025-34291 (CVSS 9.4), CVE-2025-68613 (CVSS 9.9), CVE-2025-52691 (CVSS 10.0), CVE-2026-1281 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2024-23113
Downloadable IOCs: 14

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilit…
ransomware
remote code execution
deserialization vulnerability
CVE-2025-32432
CVE-2025-54068
CVE-2025-26399
CVE-2025-53521
CVE-2025-68613
CVE-2026-20963
CVE-2026-27483
CVE-2026-21385
CVE-2021-30952
CVE-2023-41974
plasmagrid
CVE-2026-20131
CVE-2026-27944
CVE-2017-7921
CVE-2026-21262
CVE-2026-25187
CVE-2026-26127
CVE-2026-3909
CVE-2026-3910
CVE-2026-3564
ghostblade
ghostknife
ghostsaber
CVE-2026-33017
CVE-2026-3055
CVE-2026-33634
CVE-2026-33032
2026-04-14
cisco fmc
ios exploit kit
plasmaloader
zero-day exploitation
Published: April 14, 2026
Linked vulnerabilities : CVE-2025-32432 (CVSS 10.0), CVE-2025-54068 (CVSS 9.2), CVE-2025-26399 (CVSS 9.8), CVE-2025-53521 (CVSS 8.7), CVE-2025-68613 (CVSS 9.9), CVE-2026-20963 (CVSS 8.8), CVE-2026-27483 (CVSS 8.8), CVE-2026-21385 (CVSS 7.8), CVE-2023-41974, CVE-2021-30952, CVE-2026-20131 (CVSS 10.0), CVE-2026-27944 (CVSS 9.8), CVE-2017-7921, CVE-2026-21262 (CVSS 8.8), CVE-2026-25187 (CVSS 7.8), CVE-2026-26127 (CVSS 7.5), CVE-2026-3909 (CVSS 8.8), CVE-2026-3910 (CVSS 8.8), CVE-2026-3564 (CVSS 9.0), CVE-2026-33017 (CVSS 9.3), CVE-2026-3055 (CVSS 9.3), CVE-2026-33634 (CVSS 9.4), CVE-2026-33032 (CVSS 9.8)
Downloadable IOCs: 2

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.