The workflow automation platform n8n was found to have a critical security vulnerability. In limited scenarios, this vulnerability has the potential to permit arbitrary code execution. Each is exploitable across multiple cloud service providers, with the first tracked as CVE-2025-68613. Its severity is therefore exceptionally high, with a staggering CVSS score of 9.9 out of 10.0. As December 22, 2025 approaches, an estimated 103,476 installations of n8n are at risk of being exploited. The majority of these cases are concentrated in the United States, Germany, France, Brazil, and Singapore.
This bug impacts all n8n versions >= 0.211.0 and < 1.120.4. An authenticated attacker can take advantage of this vulnerability to escalate their privileges in n8n. By doing so, they can run any code with the same privileges as the n8n process. The maintainers of the npm package have acknowledged that this vulnerability presents a critical risk to users.
Details of the Vulnerability
The vulnerability is due to the way n8n processes expressions provided by authenticated users when configuring workflows. Under specific conditions, these expressions may be evaluated in a context that lacks sufficient isolation from the underlying runtime environment.
“Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.” – n8n-io/n8n maintainers
As a result, attackers can leverage this defect in order to run malicious code. So, users need to take stock of any existing n8n installations today to safeguard themselves.
Impact and Reach
According to the Censys team, over 100,000 n8n instances are potentially exposed and vulnerable to this vulnerability. The platform has achieved an impressive user base. It has over 57,000 weekly downloads on npm alone, which puts this vulnerability as one of the most dangerous to countless organizations that use its features.
These vulnerable examples are spread across most every country. The top concentrations are in the U.S., Germany, France, Brazil and Singapore. This geographical distribution underscores the need for users across the board to stay alert to their software updates.
Remediation Steps
Luckily, it was patched in the last few versions of n8n (in patch releases 1.120.4, 1.121.1, and 1.122.0). We encourage all users to update to these versions as soon as possible to protect against the risks of this security bug.
Fatih Çelik found and disclosed the vulnerability responsibly. It’s work like his that reminds us how important community vigilance is in holding important software secure.
“An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process.” – The Hacker News