The vulnerability identified as CVE-2025-68613 affects the n8n open source workflow automation platform, specifically versions starting from 0.211.0 up to versions prior to 1.120.4 and version 1.121.0. The root cause is improper control of dynamically-managed code resources (CWE-913) within the workflow expression evaluation system. Authenticated users can supply expressions during workflow configuration that are evaluated in an execution context insufficiently isolated from the underlying runtime environment. This lack of isolation allows an attacker with legitimate authentication to execute arbitrary code with the same privileges as the n8n process. Such execution can lead to complete compromise of the n8n instance, including unauthorized access to sensitive data, unauthorized modification of workflows, and execution of arbitrary system-level commands. The vulnerability does not require user interaction beyond authentication but does require the attacker to have workflow creation or editing permissions. The issue has been addressed in n8n versions 1.120.4, 1.121.1, and 1.122.0 by introducing additional safeguards to restrict expression evaluation contexts. No known exploits in the wild have been reported yet. Temporary mitigations include limiting workflow editing permissions to fully trusted users and deploying n8n in a hardened environment with restricted OS privileges and network access to reduce potential exploitation impact. However, these mitigations do not fully eliminate the risk and upgrading remains the primary remediation.

The impact of this vulnerability is critical and far-reaching for organizations using the n8n platform for workflow automation. Successful exploitation allows an attacker to execute arbitrary code on the host system with the privileges of the n8n process, potentially leading to full system compromise. This includes unauthorized access to sensitive data managed or processed by n8n workflows, unauthorized modification or sabotage of automated workflows, and execution of system-level commands that could disrupt operations or facilitate lateral movement within the network. Given n8n’s role in automating business processes, such a compromise could disrupt critical business functions, cause data breaches, and result in significant operational and reputational damage. The vulnerability requires authenticated access, which somewhat limits exposure, but organizations with multiple users or weak authentication controls remain at high risk. The critical CVSS score of 10.0 underscores the severity and ease of exploitation once authenticated access is obtained.

1. Immediate upgrade to n8n versions 1.120.4, 1.121.1, or 1.122.0 where the vulnerability is patched and expression evaluation is properly isolated. 2. Restrict workflow creation and editing permissions strictly to fully trusted and vetted users only, minimizing the number of users who can supply expressions. 3. Deploy n8n instances in hardened environments with minimal operating system privileges assigned to the n8n process, reducing the impact of potential code execution. 4. Limit network access to n8n servers using firewalls and network segmentation to reduce exposure to attackers. 5. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of compromised credentials. 6. Monitor workflow changes and audit logs for suspicious activity indicative of exploitation attempts. 7. If immediate upgrade is not feasible, consider disabling or restricting features that allow user-supplied expressions in workflows until patched. 8. Regularly review and update security policies around user permissions and environment hardening to maintain defense-in-depth.