README.md
Rendering markdown...
id: CVE-2025-68613
info:
name: CVE-2025-68613 - n8n Workflow Automation RCE (Detection)
author: ashwesker
severity: critical
description: |
n8n is a fair-code licensed workflow automation platform.
CVE-2025-68613 is a critical vulnerability affecting n8n versions
where workflow expression handling can lead to remote code execution.
Vulnerable versions can be identified through exposed metadata on
public authentication pages.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-68613
metadata:
vendor: n8n
product: n8n Workflow Automation
verified: true
shodan-query: http.favicon.hash:-831756631
tags: cve,cve2025,n8n,rce,workflow,automation
http:
- method: GET
path:
- "{{BaseURL}}/signin"
- "{{BaseURL}}/login"
- "{{BaseURL}}/"
stop-at-first-match: true
extractors:
- type: regex
name: base64_content
group: 1
regex:
- '<meta name="n8n:config:sentry" content="([A-Za-z0-9+/=]+)"'
internal: true
- type: dsl
name: decoded
dsl:
- base64_decode(base64_content)
internal: true
- type: dsl
name: version
dsl:
- replace_regex(decoded, ".*n8n@([0-9]+\\.[0-9]+\\.[0-9]+).*", "$1")
internal: true
- type: dsl
dsl:
- '"Detected n8n Version: " + version'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "n8n"
case-insensitive: true
- type: dsl
name: vulnerable
dsl:
- |
(compare_versions(version, ">= 0.211.0") && compare_versions(version, "< 1.120.4")) ||
(compare_versions(version, ">= 1.121.0") && compare_versions(version, "< 1.121.1"))