A severe security vulnerability, identified as CVE-2025-68613, has been discovered in the popular n8n workflow automation platform. This critical flaw could enable authenticated users to execute arbitrary code on affected systems, posing a significant risk to sensitive data and system integrity. The vulnerability carries a near-perfect CVSS score of 9.9 out of 10, highlighting its extreme severity. The n8n platform, widely used for automating business processes, is downloaded by approximately 57,000 users weekly, underscoring the broad potential impact of this exploit.
The security issue arises from how n8n handles expressions provided by authenticated users during workflow configuration. According to the maintainers of the npm package, these expressions can, under specific circumstances, be evaluated in an execution context that lacks sufficient isolation from the underlying runtime environment. This misconfiguration could be exploited by a malicious authenticated attacker to gain control of the n8n process, leading to potential full compromise of the instance. An attacker could access confidential data, alter existing workflows, or perform system-level operations without authorization.
Critical n8n Workflow Automation Vulnerability Exposes Systems to Code Execution
The vulnerability, CVE-2025-68613, affects all versions of n8n starting from 0.211.0 up to, but not including, version 1.120.4. Fortunately, the n8n development team has responded swiftly, releasing patches in versions 1.120.4, 1.121.1, and 1.122.0. Despite the availability of fixes, a substantial number of instances remain vulnerable. Attack surface management platform Censys reported on December 22, 2025, that an estimated 103,476 n8n instances are potentially exposed.
Geographically, the majority of these potentially vulnerable instances are concentrated in the United States, Germany, France, Brazil, and Singapore. The widespread deployment of n8n across various industries means that a diverse range of organizations could be at risk if immediate action is not taken. The potential for unauthorized access to sensitive data, including customer information and proprietary business logic, is a major concern for businesses relying on this workflow automation tool.
The implications of exploiting this n8n workflow automation vulnerability are far-reaching. Beyond data breaches and modifications, attackers could use a compromised n8n instance as a pivot point to launch further attacks within an organization’s network. The ability to execute arbitrary code with the privileges of the n8n process essentially grants attackers significant command over the affected server environment, making the scope of potential damage extensive.
Mitigation Strategies and Patching Urgency
Given the critical nature of CVE-2025-68613, users of the n8n platform are strongly advised to apply the available security updates as soon as possible. This is the most effective way to protect against potential exploitation. Organizations that cannot immediately patch their n8n instances are urged to implement interim mitigation strategies to reduce their risk exposure. These include limiting workflow creation and editing permissions strictly to trusted users who have a legitimate need for such access.
Additionally, deploying n8n within a hardened environment can provide an added layer of security. This involves configuring the operating system with restricted privileges and limiting network access to only essential endpoints. While these measures can help contain the potential impact, they should not be considered a substitute for applying the official security patches. The ongoing monitoring of network activity and n8n logs for any unusual patterns is also recommended.
The rapid dissemination of this vulnerability underscores the importance of staying vigilant in the cybersecurity landscape, particularly for platforms that integrate deeply into business operations and handle sensitive information. The n8n team’s proactive patching is a positive step, but the responsibility now falls on users to implement these crucial updates. Further analysis of the exploit’s practical application and the number of actively exploited instances is expected in the coming weeks.