Introduction

In this TryHackMe room, we analyze CVE-2025–68613, a critical Remote Code Execution vulnerability affecting n8n, an open-source workflow automation platform. This vulnerability allows any authenticated user to execute arbitrary system commands through insecure expression evaluation — leading to full system compromise.

This walkthrough covers:

  • Vulnerability background
  • Technical root cause
  • Browser-based exploitation
  • Detection and Sigma rules
  • Defensive takeaways

What is n8n?

n8n is a Node.js-based workflow automation tool used to connect applications and services using visual workflows. Each workflow is made of nodes, such as:

  • API calls
  • Data processing
  • Notifications (email, Slack, etc.)

It is commonly deployed as:

  • Self-hosted instances
  • Managed cloud service (n8n.cloud)
  • Internal automation platforms
None

Vulnerability Overview (CVE-2025–68613)

Affected Versions: 0.211.0 → 1.120.3

Patched Versions: 1.120.4, 1.121.1, 1.122.0

None

Root Cause

The vulnerability exists in n8n's workflow expression evaluation system.

  • Expressions wrapped in {{ }} are evaluated as JavaScript
  • These expressions are not properly sandboxed
  • Authenticated users can escape the intended context
  • This allows access to Node.js internals, including child_process

Authentication does not mitigate this issue — any logged-in user can exploit it.

The Exploit Payload

Working payload (from wioui):

None

Why This Works

Let's break down the escalation chain:

  1. Expression context — User input inside {{ }}
  2. this keyword – References the global Node.js object
  3. process.mainModule – Access to the root module
  4. require('child_process') – Load OS command execution module
  5. execSync('id') – Execute system command
  6. .toString() – Read command output

Security boundary violation: User expressions should never access Node.js module loading or system execution APIs.

None

Lab Setup (TryHackMe)

  • Target URL: http://10.67.188.158:5678
  • Credentials:
  • Email: tryhackme@thm.local
  • Password: Try12345!
  • Browser: Firefox (AttackBox or local via VPN)

Step-by-Step Exploitation

1️⃣ Create a New Workflow

  • Log in to n8n
  • Click Start from scratch
None

2️⃣ Add Manual Trigger

  • Click Add first step
  • Search and select Manual Trigger
None
None

3️⃣ Add "Edit Fields (Set)" Node

  • Attach it to the Manual Trigger
  • Click Add Field
  • Field name: result
  • Field value: Paste the exploit payload
None
None

4️⃣ Execute the Workflow

  • Click Execute step
  • Observe command execution output
None

The output of id confirms remote code execution.

You can now replace id with any system command.

To find the flag we change the idwith other commands.

5️⃣ Enumerate the Directory (ls -la)

Instead of directly running id, we first enumerate the current working directory to locate the flag file.

Paste the following payload into the Value field:

None

Click "Execute step". The output displays the directory contents, where we can observe a file named flag.txt.

None

6️⃣ Read the Flag File (cat flag.txt)

Now that the flag file has been identified, replace the previous payload with the following command to read its contents:

None

Click "Execute step" again. The workflow successfully executes the command and reveals the flag, confirming full remote command execution on the host system.

None
None

Detection & Defense

n8n Logging Limitation

n8n does not provide sufficient application-level logs to detect this attack reliably.

Proxy-Based Detection (Recommended)

Use a reverse proxy (e.g., nginx) to log request body content:

None

Sigma Detection Rule

None
None

Post-Exploitation Monitoring

After exploitation, attackers may:

  • Spawn reverse shells
  • Download malware
  • Run reconnaissance commands

Correlate web logs with process creation events Do not rely on a single detection signal.

Purple Team Takeaways

Expression evaluation = code execution risk

Sandboxing must isolate:

  • Global objects
  • Module loading
  • OS interaction

Detection should focus on context escalation, not just payload strings

None

Final Recommendations

  • Upgrade immediately to patched versions
  • Restrict expression evaluation capabilities
  • Monitor workflow creation endpoints
  • Correlate web + host telemetry

Final Thoughts

This vulnerability highlights how powerful automation features can become critical attack vectors when trust boundaries are poorly designed. CVE-2025–68613 is a textbook example of why user-supplied code must never run near the application runtime.

None