As enterprises increasingly rely on low-code platforms to bridge their SaaS ecosystems, the security of these "connective tissues" has become a prime target. Today, the cybersecurity community is reacting to **CVE-2025-68613**, a devastating RCE flaw in the **n8n** workflow automation tool that allows unauthenticated attackers to seize total control of the host environment.
The core of the vulnerability lies in n8n's powerful **Expression Parser**. Researchers discovered that the sanitization logic used to prevent arbitrary JavaScript execution within `{{ }}` templates could be bypassed using a specialized Unicode-encoding trick. By sending a malicious payload to a publicly accessible webhook or a shared workflow endpoint, an attacker can escape the sandbox and execute arbitrary commands with the privileges of the n8n process.
Because n8n often runs with high-level permissions to interact with Docker sockets, local file systems, and cloud APIs, an RCE on this platform isn't just a local compromise—it's a **Supply Chain Hijack**. An attacker can silently intercept API keys, exfiltrate database backups, or modify production deployment pipelines.
The addition of CVE-2025-68613 to the **CISA KEV** list indicates that this isn't just a theoretical risk. Threat intelligence firms have observed botnets scanning for publicly exposed `/webhook/` and `/rest/` endpoints associated with n8n. In many cases, these instances are running with default credentials or weak authentication, making the RCE trivial to weaponize at scale.
Analysis of compromised instances shows that the average time from initial probe to full data exfiltration is less than **180 seconds**. Attackers are specifically targeting n8n’s internal SQLite or Postgres databases to dump the `credentials` table, which contains encrypted tokens for services like AWS, GitHub, and Salesforce. If your instance is exposed, assume all connected credentials are compromised.
Patching is step one. Step two is organizing your security playbooks. Use **ByteNotes** to track your incident response and keep your infrastructure documentation air-gapped.
Try ByteNotes →This vulnerability highlights the risk of **"Shadow Automation"**—instances of n8n or similar tools spun up by individual developers or departments without IT oversight. Because these instances often lack automated patch management, they remain vulnerable long after a fix is released. Organizations should immediately audit their networks for rogue n8n containers using tools like **Nmap** or specialized EDR queries.
The n8n RCE is a wake-up call for the "Agentic DevOps" era. As we move toward more autonomous systems, the platforms that orchestrate those systems must be hardened to the same standard as the kernel itself. If you are running self-hosted n8n, **stop what you are doing and upgrade to v1.122.0 now.**
Have you audited your workflow security recently? Join the discussion on our Discord server.