The vulnerability identified as CVE-2025-68613 affects the n8n open source workflow automation platform, specifically versions starting from 0.211.0 up to 1.120.4 and version 1.121.0. The root cause is an improper control of dynamically-managed code resources (CWE-913) within the workflow expression evaluation system. When workflows are configured, expressions supplied by authenticated users are evaluated in a runtime context that lacks sufficient isolation. This flaw allows an attacker with authenticated access to inject and execute arbitrary code with the same privileges as the n8n process. Because n8n often runs with significant system privileges to automate workflows, successful exploitation can lead to complete compromise of the host environment. Attackers could access sensitive data, alter or create malicious workflows, and perform system-level operations such as installing malware or pivoting within the network. The vulnerability does not require user interaction beyond authentication, making it easier to exploit once credentials are obtained. The vendor has released patched versions (1.120.4, 1.121.1, and 1.122.0) that introduce enhanced safeguards to restrict expression evaluation contexts and prevent code injection. Until upgrades are applied, administrators are advised to limit workflow editing permissions strictly to trusted users and run n8n in hardened environments with minimal privileges and network restrictions. Although no known exploits in the wild have been reported yet, the critical nature and ease of exploitation make this a high-risk vulnerability.

For European organizations, the impact of this vulnerability is significant due to the potential for full system compromise. n8n is used by enterprises for automating business-critical workflows, often integrating with sensitive data sources and internal systems. Exploitation could lead to unauthorized disclosure of confidential information, disruption of automated processes, and unauthorized changes to workflows that could propagate malicious actions across connected systems. The ability to execute arbitrary code at the system level increases the risk of ransomware deployment, lateral movement, and persistent backdoors. Organizations in sectors such as finance, healthcare, manufacturing, and public administration, where automation platforms like n8n are increasingly adopted, face heightened risks. The vulnerability’s requirement for authenticated access means that credential compromise or insider threats could trigger exploitation. Given the critical CVSS score and the broad impact on confidentiality, integrity, and availability, European entities must prioritize remediation to prevent potential operational and reputational damage.

1. Immediate upgrade to n8n versions 1.120.4, 1.121.1, or 1.122.0 to apply the official patches that address the vulnerability. 2. Restrict workflow creation and editing permissions exclusively to fully trusted and vetted users to reduce the attack surface. 3. Deploy n8n instances within hardened environments: run with the least privilege principle, using dedicated service accounts with minimal OS permissions. 4. Isolate n8n servers in segmented network zones with strict firewall rules to limit exposure and lateral movement in case of compromise. 5. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential theft leading to exploitation. 6. Monitor logs and workflow changes for suspicious activity indicative of exploitation attempts or unauthorized modifications. 7. Conduct regular security audits and penetration testing focused on workflow automation platforms to identify potential misconfigurations or vulnerabilities. 8. If immediate patching is not feasible, consider disabling or limiting access to the expression evaluation features or workflows that accept user-supplied expressions. These measures should be temporary and replaced by patching as soon as possible.