Disclaimer: This writeup is based on a Capture The Flag (CTF) challenge hosted on TryHackMe and it is intended for educational purposes only.

In this room, we will examine CVE-2025–68613, a critical vulnerability in n8n that was published on December 19, 2025, with a CVSS score of 9.9.

n8n is an open-source workflow automation platform designed to visually connect applications and services for task automation. Users build workflows composed of nodes, with each node representing an action such as making an API request, processing data, or sending an email. n8n is frequently used to automate repetitive operational tasks and to integrate security tools and SaaS platforms. Below is a simple example workflow that allows us to schedule an HTTP GET request to the NVD CVE API, format the output using JavaScript, and then send the report via email and to a Slack channel.

Task 1 Introduction

Let's dive into the technical details.

No answer needed

Task 2 Technical Background

In this exploit, what is the name of the module that allowed us to execute system commands?

child_process

Task 3 Exploitation

What is the flag?

THM{n8n_exposed_workflow}

Task 4 Detection

Depending on your environment, ensure that your security solutions are detecting threats targeting your web applications and infrastructure.

No answer needed

Task 5 Conclusion

If you enjoyed this room, consider checking other rooms in the Recent Threats module.

No answer needed