CVE-2025-65964 is a critical vulnerability in the n8n open source workflow automation platform affecting versions from 0.123.1 up to 1.119.1. The vulnerability stems from the Git node's Add Config operation, which allows workflows to set arbitrary Git configuration parameters, including core.hooksPath. This configuration controls the directory from which Git loads hooks, scripts that run automatically during Git operations. By setting core.hooksPath to a directory containing malicious hooks, an attacker who can create or modify workflows with the Git node can cause arbitrary commands to execute on the n8n host during subsequent Git operations, leading to remote code execution (RCE). The attack vector requires the ability to modify workflows but does not require user interaction or elevated privileges beyond workflow modification rights. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), indicating that untrusted input controls execution flow. The CVSS 4.0 base score is 9.4 (critical), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet. The issue was fixed in n8n version 1.119.2. Workarounds include disabling the Git node entirely and avoiding cloning or interacting with untrusted repositories via the Git node. This vulnerability poses a significant risk to organizations using n8n for workflow automation, especially those integrating Git-based workflows or automations.

For European organizations, exploitation of CVE-2025-65964 could lead to full system compromise of the n8n host, allowing attackers to execute arbitrary commands, potentially leading to data theft, lateral movement, or disruption of automated workflows. Given n8n's role in automating business processes, an attacker could manipulate or disrupt critical operations, causing operational downtime and reputational damage. The vulnerability's network accessibility and lack of required user interaction increase the risk of remote exploitation, especially in environments where multiple users can create or modify workflows. Organizations relying on n8n to integrate with Git repositories or automate DevOps pipelines are particularly at risk. The impact is exacerbated in regulated industries common in Europe, such as finance, healthcare, and manufacturing, where workflow integrity and data confidentiality are paramount. Additionally, supply chain attacks could be facilitated by injecting malicious hooks into workflows that interact with external repositories. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

The primary mitigation is to upgrade n8n to version 1.119.2 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should disable or restrict the Git node functionality to prevent workflows from modifying Git configurations. Implement strict access controls to limit who can create or modify workflows, ensuring only trusted users have such permissions. Avoid cloning or interacting with untrusted Git repositories through the Git node to reduce exposure to malicious hooks. Monitor workflow changes and Git operations for unusual activity indicative of exploitation attempts. Employ network segmentation to isolate n8n hosts from critical infrastructure and sensitive data stores. Conduct regular security audits of workflow configurations and Git integration settings. Finally, educate DevOps and automation teams about the risks of untrusted code execution via Git hooks and enforce policies to validate all external code sources.