CVE-2026-25049: Git-R-Done: RCE in n8n via Config Injection

Git-R-Done: RCE in n8n via Config Injection

Vulnerability ID: CVE-2026-25049
CVSS Score: 9.4
Published: 2026-02-04

A critical Remote Code Execution (RCE) vulnerability in n8n's Git node allows authenticated users to execute arbitrary commands via malicious Git configuration values. This creates a classic sandbox escape scenario where data is treated as code.

TL;DR

n8n interprets strings in double curly braces as code. By crafting a malicious .git/config file (e.g., in a repo cloned by n8n), an attacker can inject JavaScript payloads. When the Git node lists the config, n8n evaluates the payload, leading to full RCE.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-913
• Attack Vector: Network
• CVSS Score: 9.4 (Critical)
• Impact: Remote Code Execution (RCE)
• Vulnerable Component: Git Node (List Config operation)
• Exploit Complexity: Low

Affected Systems

• n8n workflow automation tool
• n8n: < 1.123.17 (Fixed in: 1.123.17)
• n8n: < 2.5.2 (Fixed in: 2.5.2)

Code Analysis

Commit: 7860896

Initial patch attempting to sanitize Git config output.

+ sanitizeUrl(config.values['remote.origin.url'])

Commit: 936c06c

Follow-up patch refining the sanitization logic.

Refactored mapGitConfigList usage

Exploit Details

• Context Analysis: Injection of Node.js require('child_process') calls via .git/config URL fields.

Mitigation Strategies

• Input Sanitization
• Execution Sandboxing
• Principle of Least Privilege

Remediation Steps:

1. Upgrade n8n to version 1.123.17 or 2.5.2 immediately.
2. Audit existing workflows for Git nodes interacting with untrusted repositories.
3. Rotate any secrets or API keys stored in n8n if signs of compromise are detected.

References

• GHSA-6cqr-8cfr-67f8 Advisory

---

Read the full report for CVE-2026-25049 on our website for more details including interactive diagrams and full exploit analysis.