Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across 103,476 Instances

December 2025. A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances.

The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0—placing it in the highest severity category. Security researcher Fatih Çelik has been credited with discovering and reporting the flaw. The package has about 57,000 weekly downloads on npm, making it a high-value target for attackers.

What Is n8n?

n8n is an open-source workflow automation platform that allows users to connect different services and automate tasks. It's similar to Zapier or Microsoft Power Automate but can be self-hosted, giving organizations more control over their data and workflows.

n8n is used by thousands of organizations worldwide to automate business processes, integrate systems, and streamline operations. It's particularly popular among developers, DevOps teams, and businesses that need to automate complex workflows without writing code from scratch.

The Vulnerability: CVE-2025-68613

According to the maintainers of the npm package, the vulnerability exists because "under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime."

In simpler terms: when users configure workflows in n8n, they can input expressions (code-like instructions). Under certain conditions, these expressions are executed in a way that isn't properly isolated from the server's runtime environment. This means an attacker could potentially execute arbitrary code on the server.

CVSS 9.9 Score Breakdown

A CVSS score of 9.9 indicates a critical vulnerability with the following characteristics:

• Attack Vector: Network (remotely exploitable)
• Attack Complexity: Low (easy to exploit)
• Privileges Required: Low (requires authentication, but many users have this)
• User Interaction: None (no user action required)
• Scope: Changed (affects other components)
• Confidentiality Impact: High (complete data access)
• Integrity Impact: High (complete system modification)
• Availability Impact: High (complete system shutdown possible)

Impact of Successful Exploitation

According to the maintainers, "an authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations."

This means that if an attacker successfully exploits this vulnerability, they could:

• Steal sensitive data: Access any data stored in n8n or accessible through workflows
• Modify workflows: Change or delete existing workflows, potentially disrupting business operations
• Execute system commands: Run arbitrary commands on the server, potentially gaining full control
• Lateral movement: Use the compromised n8n instance to attack other systems in the network
• Supply chain attacks: Compromise workflows that interact with other services or systems

Affected Versions

The vulnerability affects all versions including and higher than 0.211.0 and below 1.120.4. This is a wide range of versions, meaning many installations are potentially vulnerable.

Patched Versions

The issue has been patched in the following versions:

• 1.120.4 - Contains the security fix
• 1.121.1 - Contains the security fix
• 1.122.0 - Contains the security fix

If you're running any version between 0.211.0 and 1.120.3, you are vulnerable and should update immediately.

The Scale of the Problem

According to the attack surface management platform Censys, there are 103,476 potentially vulnerable instances as of December 22, 2025. This is a massive attack surface that attackers are likely already scanning and attempting to exploit.

Geographic Distribution

The majority of vulnerable instances are located in:

• United States - Highest concentration
• Germany - Significant number of instances
• France - Large deployment base
• Brazil - Growing number of instances
• Singapore - Regional hub

This geographic distribution reflects the global adoption of n8n, but it also means that attackers have a large pool of potential targets across multiple regions.

Immediate Action Required

How to Check Your Version

To check your n8n version:

1. Log into your n8n instance
2. Navigate to Settings → About
3. Check the version number displayed
4. If your version is between 0.211.0 and 1.120.3, you are vulnerable

How to Update

The update process depends on how you installed n8n:

• Docker: Pull the latest image and restart your container
• npm: Run npm update -g n8n or update your package.json
• Self-hosted: Follow the official n8n update documentation

Mitigation Strategies (If Immediate Patching Is Not Possible)

If you cannot immediately patch your n8n instance, implement these mitigation strategies:

1. Limit Workflow Creation and Editing Permissions

Restrict workflow creation and editing permissions to only trusted users. This reduces the attack surface by limiting who can potentially exploit the vulnerability.

2. Deploy in a Hardened Environment

Deploy n8n in a hardened environment with:

• Restricted operating system privileges: Run n8n with the least privileges necessary
• Network access restrictions: Limit network access to only what's necessary for n8n to function
• Network segmentation: Isolate n8n from other critical systems
• Firewall rules: Implement strict firewall rules to limit access

3. Monitor for Exploitation Attempts

Monitor your n8n logs for suspicious activity, such as:

• Unusual workflow modifications
• Unexpected API calls
• Suspicious expression evaluations
• Unauthorized access attempts

4. Implement Additional Security Controls

• Web Application Firewall (WAF): Use a WAF to block known attack patterns
• Rate limiting: Implement rate limiting to prevent brute-force attacks
• Multi-factor authentication (MFA): Require MFA for all user accounts
• Regular backups: Ensure you have recent backups in case of compromise

Why This Vulnerability Is So Dangerous

This vulnerability is particularly dangerous because:

• High CVSS score (9.9): One of the highest severity ratings possible
• Large attack surface: Over 103,000 potentially vulnerable instances
• Arbitrary code execution: Allows complete system compromise
• Authenticated access: Many users have the permissions needed to exploit it
• Workflow automation context: n8n often has access to sensitive systems and data
• Supply chain risk: Compromised n8n instances can be used to attack connected systems

Real-World Impact

If this vulnerability is successfully exploited, the consequences could be severe:

• Data breaches: Attackers could steal sensitive data stored in n8n or accessible through workflows
• Business disruption: Modified or deleted workflows could disrupt critical business processes
• Financial loss: Data breaches and business disruption can result in significant financial losses
• Reputation damage: Security incidents can damage an organization's reputation
• Regulatory compliance issues: Data breaches may result in regulatory fines and compliance issues
• Lateral movement: Compromised n8n instances could be used as a stepping stone to attack other systems

Best Practices for n8n Security

To protect your n8n instance from future vulnerabilities:

• Keep n8n updated: Always apply security patches as soon as they're released
• Use least privilege: Grant users only the permissions they need
• Network segmentation: Isolate n8n from other critical systems
• Regular security audits: Conduct regular security audits of your n8n deployment
• Monitor logs: Monitor n8n logs for suspicious activity
• Implement MFA: Require multi-factor authentication for all accounts
• Regular backups: Maintain regular backups of your n8n instance
• Security awareness: Train users on security best practices

Conclusion

CVE-2025-68613 is a critical vulnerability that affects over 103,000 n8n instances worldwide. With a CVSS score of 9.9, this vulnerability allows arbitrary code execution and can lead to complete system compromise.

If you're running n8n, check your version immediately and update to a patched version (1.120.4, 1.121.1, or 1.122.0) as soon as possible. If immediate patching is not possible, implement the mitigation strategies outlined in this article to reduce your risk.

This vulnerability serves as a reminder of the importance of keeping software updated and implementing proper security controls. In the Matrix*, when systems fail, everything fails. Don't let your workflow automation platform be the weak link in your security chain.