DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68613: n8n RCE: When 'this' Becomes Your Worst Nightmare

#security #cve #cybersecurity

n8n RCE: When 'this' Becomes Your Worst Nightmare

Vulnerability ID: CVE-2025-68613
CVSS Score: 10.0
Published: 2025-12-19

A critical Remote Code Execution (RCE) vulnerability in the n8n workflow automation platform allows authenticated users to escape the sandbox via malicious JavaScript expressions.

TL;DR

n8n, the beloved 'fair-code' automation tool, had a gaping hole in its JavaScript sandbox. By wrapping malicious code in a standard function (IIFE), attackers could abuse the this keyword to access the underlying Node.js process object. This creates a bridge out of the sandbox, allowing for full system compromise via child_process. If you run n8n, patch immediately to 1.122.0+ or risk your entire automation infrastructure being hijacked.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-913
  • Attack Vector: Network (Authenticated)
  • CVSS: 10.0 (Critical)
  • EPSS Score: 0.73859 (High Probability)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: PoC Available
  • Platform: Node.js

Affected Systems

  • n8n Workflow Automation Platform
  • n8n: >= 0.211.0, < 1.120.4 (Fixed in: 1.120.4)
  • n8n: == 1.121.0 (Fixed in: 1.121.1)

Code Analysis

Commit: 08f3320

Core fix implementing the AST sanitizer

Added FunctionThisSanitizer to rewrite function expressions in AST
Enter fullscreen mode Exit fullscreen mode

Commit: 1c93335

Expansion of unsafeObjectProperties

Added mainModule, binding, _load to blacklist
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Python exploit script to automate workflow creation and RCE
  • GitHub: Proof of concept demonstrating the 'this' context escape

Mitigation Strategies

  • Input Sanitization via AST rewriting
  • Expanded Property Blacklist
  • Least Privilege Container Runtime

Remediation Steps:

  1. Upgrade n8n to version 1.122.0 or higher immediately.
  2. Review workflow logs for failed execution attempts containing 'child_process' or 'mainModule'.
  3. Rotate any API keys or credentials stored in n8n environment variables if compromise is suspected.
  4. Restrict network egress for the n8n container to only necessary endpoints.

References

Read the full report for CVE-2025-68613 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)