The disclosed vulnerability CVE-2025-68613 in the n8n workflow automation platform is a critical security flaw enabling arbitrary code execution. The root cause lies in the platform's handling of expressions supplied by authenticated users during workflow configuration. These expressions are evaluated in an execution context insufficiently isolated from the underlying runtime environment, allowing attackers with workflow configuration privileges to execute arbitrary code with the same permissions as the n8n process. This can lead to complete compromise of the affected instance, including unauthorized access to sensitive data, modification or creation of malicious workflows, and execution of system-level commands. The vulnerability affects all n8n versions starting from 0.211.0 up to versions prior to 1.120.4. The maintainers have released patches in versions 1.120.4, 1.121.1, and 1.122.0 to address this issue. According to Censys data, over 103,000 instances remain potentially vulnerable worldwide, with significant deployments in the U.S., Germany, France, Brazil, and Singapore. The package is widely used, with approximately 57,000 weekly downloads on npm, indicating a broad attack surface. While no active exploitation has been reported, the criticality of the flaw and its ease of exploitation by authenticated users make it a high-risk threat. The vulnerability requires authentication but no further user interaction beyond workflow configuration privileges. The attack surface includes any organization using n8n for workflow automation, especially those exposing the platform to internal or external users with editing rights. The flaw underscores the risks inherent in automation platforms that execute user-supplied code or expressions without strict sandboxing or isolation.

For European organizations, the impact of this vulnerability is significant due to the widespread adoption of n8n in automation and integration workflows. Successful exploitation could lead to full compromise of affected systems, resulting in unauthorized access to sensitive business data, disruption of automated processes, and potential lateral movement within corporate networks. This could affect data confidentiality, integrity, and availability, potentially causing operational downtime, data breaches, and compliance violations under GDPR. The ability to execute arbitrary code with n8n process privileges may allow attackers to deploy malware, exfiltrate data, or manipulate workflows to propagate further attacks. Given the critical nature of automation in digital transformation initiatives, disruption could have cascading effects on business continuity. Organizations in sectors such as finance, healthcare, manufacturing, and public services, which rely heavily on automated workflows, are particularly at risk. The presence of many vulnerable instances in Germany and France highlights the urgency for European entities to address this threat promptly. Additionally, the vulnerability could be leveraged in targeted attacks by threat actors aiming to exploit trusted internal automation tools to bypass perimeter defenses.

1. Immediate patching to n8n versions 1.120.4, 1.121.1, or 1.122.0 is the most effective mitigation and should be prioritized. 2. Until patching is feasible, restrict workflow creation and editing permissions strictly to trusted and vetted users to minimize the risk of exploitation. 3. Deploy n8n instances in hardened environments with minimal operating system privileges, employing containerization or sandboxing to limit the impact of potential code execution. 4. Implement network segmentation and firewall rules to restrict access to n8n instances, especially from untrusted networks or users. 5. Monitor logs and workflow changes for suspicious activity indicative of exploitation attempts or unauthorized modifications. 6. Conduct regular security audits and penetration testing focused on automation platforms to identify and remediate similar risks. 7. Educate administrators and users about the risks of granting workflow editing rights and the importance of applying security updates promptly. 8. Consider implementing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous behavior stemming from exploitation attempts. 9. Review and enforce least privilege principles for all users interacting with the n8n platform. 10. Maintain an incident response plan tailored to automation platform compromises to enable rapid containment and recovery.