A critical vulnerability in n8n (CVE-2025-68613) provides remote code execution and system compromise capabilities. Explore the security risk faced by n8n and why applying immediate security patches is very necessary for safeguarding automated processes.
A high-risk vulnerability has been identified in n8n, workflow automation software. This issue (designated CVE-2025-68613) may enable an attacker to run malicious code on an n8n server; its CVSS score is 9.9 (Critical) since it may lead to complete system compromise. Notably, this attack can be easily launched against an unpatched system if it contains at least a low-level account for authenticated access. Thus, if organizations run n8n software, they should patch the software immediately and tighten security against potential malicious actors.
Target Platform: n8n Automation
Expression Injection: How a Flaw in an n8n Workflow Enables Code Execution
n8n enables users to use dynamic expression syntax in workflow definitions to manipulate data or control workflow logic. However, a vulner- ability was found in n8n’s expression engine that made it not fully sandboxed against the system. This created a situation whereby any attacker with legitimate access to n8n through user logins could craft a malicious expression in a workflow definition to escape its boundaries. The attack can continue as a process where an attacker uses Node.js internals to invoke system commands on the n8n server.
The Impact of This RCE Vulnerability on n8n Users
The effect may be severe. A malicious exploit could culminate into a full-scale attack on the n8n instance. A malicious attacker could do the following:
For context, more than 100,000 instances of n8n could be at risk based on security scans that have identified them as being potentially exposed on the internet. And to make things worse, there exists already publicly available proof-of-concept exploit code in the wild on this vulnerability. This will make it simpler to attack any unpatched instance of n8n.
Are You at Risk?
In the event that the version range of your n8n installation lies between version 0.211.0 and 1.121.1, then it is most likely affected by CVE-2025-68613. Since it is a severe vulnerability and any user who is logged in to the service is capable of bypassing the expression sandbox and executing arbitrary code on your host machine, it is essential to ensure that your version is updated to at least version 1.122.0 to safeguard your data and infrastructure against such threats if it is directly or indirectly accessed by the public Internet or multiple users.
docker pull n8nio/n8n:latest to patch.Patch Now: Fixed Versions and Workarounds
It is a relief to note that patches have been introduced to address these issues via n8n versions 1.120.4, 1.121.1, and 1.122.0. It is highly recommended that admins Nevertheless, in the event that the update cannot be made immediately, the following are some temporary solutions that can be employed:
However, if an immediate update is not feasible, there are temporary workarounds:
- Restrict Workflow Access: Limit the ability to set up or modify the workflow by only giving it to your most trusted users. Doing so reduces the likelihood of an attacker exploiting this vulnerability.
- Harden the Environment: The n8n should run in an environment that has very limited privileges and access to the network. For instance, it should run inside a locked-down container environment that has very strict firewalls. If the n8n process were to be exploited, it would not have access to much.
It is essential to note that these steps merely help to reduce the attack surface but not eliminate the vulnerability; this is only achieved by the official bug fix.
Conclusion: A Critical Reminder About Automation Risk
The n8n vulnerability exposes a harsh reality of modern automation platforms. When workflow engines can be manipulated to execute system commands, every automated process becomes a potential entry point. No phishing is required. No malware delivery chain is needed. A single abused expression is enough to hand over full control.
Why This Risk Extends Beyond n8n
Automation tools sit at the heart of business operations. They connect APIs, credentials, cloud services, and internal systems. When one of these platforms is compromised, the blast radius is immediate:
- Trusted workflows become execution engines for attackers
- Automation servers inherit access to cloud keys and internal services
- Low-privileged users can trigger high-impact outcomes
- Patch delays translate directly into system-level compromise
Any environment that allows dynamic code execution without strict isolation is exposed.
Where Xcitium Changes the Outcome
For organizations using Xcitium Advanced EDR, exploitation attempts like CVE-2025-68613 fail at execution.
- Malicious expressions may run, but code can run without being able to cause damage
- Escaped Node.js commands cannot impact the real system
- Workflow abuse cannot lead to persistence, lateral movement, or data loss
- Automation servers remain operational and protected
Xcitium removes the attacker’s ability to turn automation into a weapon by eliminating execution risk entirely.
Secure Automation Before It Becomes an Attack Path
Automation accelerates business, but it also accelerates attackers. Patching is mandatory. Isolation is essential. Prevention must happen at execution.
Protect the systems that run your workflows.
Choose Xcitium Advanced EDR.
