CVE-2025-68613 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

CVE-2025-68613 is a CVSS 8.8 RCE in n8n, actively exploited in the wild (CISA KEV, Zerobot malware campaign) and requires only low-privilege authentication — patch to 1.120.4/1.121.1/1.122.0 immediately. If n8n is part of your AI agent infrastructure, assume credential compromise: rotate all API keys, LLM tokens, and integration secrets stored in the platform. Any n8n instance accessible from the internet with multi-user access must be treated as breached until patched.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
n8n	npm	—	No patch

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

KEV Status

Actively Exploited

Sophistication

Trivial

Recommended Action

1. PATCH IMMEDIATELY: Upgrade to n8n 1.120.4, 1.121.1, or 1.122.0. This is the only complete fix.
2. If patching is blocked: restrict workflow creation/editing to fully trusted users only and isolate n8n behind VPN or internal network — remove all public internet exposure.
3. Rotate all credentials stored in n8n (LLM API keys, database passwords, OAuth tokens, webhook secrets) regardless of whether compromise is confirmed.
4. Audit workflow modification history for unauthorized changes, particularly any new HTTP Request nodes, Execute Command nodes, or newly created credentials.
5. Deploy n8n in a hardened container with restricted OS privileges (non-root, read-only filesystem where possible, egress firewall rules).
6. Detection: Monitor for unusual n8n process spawning child processes (bash, sh, cmd), unexpected outbound connections from the n8n host, and new workflow creation by non-admin users. Alert on access to /etc/passwd, SSH key directories, or credential files from the n8n process.
7. Check n8n logs for expression payloads containing process execution patterns (child_process, exec, spawn, eval).

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host AML.T0108 - AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI risk assessment A.6.2 - AI system roles and responsibilities A.9.2 - Information security in AI system development and operation A.9.7 - Information security in AI system operations

NIST AI RMF

GOVERN 1.2 - Policies and processes related to AI risk are established GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to sustain AI risk management are planned

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling LLM06 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

Exploitation Scenario

Attacker obtains low-privilege n8n credentials via phishing, credential stuffing, or purchasing them on darknet markets (n8n is widely deployed as a SaaS-style internal tool). They create a new workflow containing a malicious expression — e.g., in a Function node or expression field — that abuses CWE-913 (improper control of dynamically-managed code resources) to break out of the expression sandbox and execute OS commands. With the privileges of the n8n process, they execute a reverse shell, establish persistence, and immediately target n8n's encrypted credential store. They exfiltrate all stored API keys (OpenAI, Anthropic, AWS, Slack, GitHub, etc.), then modify existing AI agent workflows to silently forward all processed data to an attacker-controlled endpoint. In the Zerobot campaign context, they also enroll the host in a botnet for cryptomining or DDoS operations. The entire attack chain from initial access to full AI pipeline compromise takes under 10 minutes.

Weaknesses (CWE)

CWE-913 Primary CWE-913

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

December 19, 2025

Last Modified

March 11, 2026

First Seen

December 19, 2025