CVE-2025-65964 is a critical vulnerability in the n8n open source workflow automation platform, affecting versions from 0.123.1 up to but not including 1.119.2. The root cause is inadequate validation and control over Git configuration settings within the platform's Git node, specifically the Add Config operation. This operation allows workflows to set arbitrary Git configuration values, including the core.hooksPath parameter, which defines the path to Git hooks. An attacker with the ability to create or modify workflows that use the Git node can set core.hooksPath to point to a malicious Git hook script. When the n8n host performs subsequent Git operations, this malicious hook executes arbitrary commands with the privileges of the n8n process, resulting in remote code execution (RCE). The vulnerability does not require user interaction or elevated privileges beyond the ability to modify workflows, making it relatively easy to exploit if workflow modification rights are compromised. The vulnerability is classified under CWE-829, indicating the inclusion of functionality from an untrusted control sphere. Although no known exploits are currently reported in the wild, the high CVSS 4.0 score of 9.4 reflects the criticality of this issue, considering its network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. The issue is resolved in n8n version 1.119.2. Until patching, mitigation includes disabling the Git node functionality and avoiding cloning or interacting with untrusted repositories via the Git node to prevent malicious hook execution.

For European organizations, this vulnerability poses a significant risk due to the potential for full system compromise through remote code execution. Organizations using n8n for automating workflows, especially those integrating Git repositories, could have their automation infrastructure hijacked, leading to data breaches, disruption of critical business processes, and lateral movement within internal networks. The ability to execute arbitrary commands on the host can allow attackers to exfiltrate sensitive data, deploy ransomware, or establish persistent footholds. Given the widespread adoption of n8n in various industries including finance, healthcare, and manufacturing across Europe, the impact could be severe. Additionally, organizations subject to strict data protection regulations such as GDPR could face compliance violations and reputational damage if exploited. The vulnerability’s exploitation does not require user interaction or elevated privileges beyond workflow modification, increasing the likelihood of successful attacks if internal controls are weak. The critical severity underscores the urgency for European entities to assess their exposure and remediate promptly to avoid operational and regulatory consequences.

European organizations should immediately upgrade n8n installations to version 1.119.2 or later to remediate this vulnerability. Until patching is possible, organizations should disable or restrict access to the Git node within n8n workflows to prevent exploitation via malicious Git configuration changes. Implement strict access controls and monitoring on workflow creation and modification permissions to limit the ability of attackers to inject malicious configurations. Avoid cloning or interacting with untrusted or external Git repositories through the Git node to reduce risk exposure. Employ network segmentation and host-based intrusion detection systems to monitor for suspicious Git operations or unexpected command executions on n8n hosts. Regularly audit workflow configurations and Git settings for unauthorized changes. Additionally, enforce the principle of least privilege for n8n service accounts and isolate n8n hosts to minimize potential lateral movement if compromise occurs. Finally, maintain up-to-date backups of critical workflows and data to enable recovery in case of exploitation.