n8n CVE-2025-68613

• room link: https://tryhackme.com/room/n8ncve202568613
• basically lets an authorised n8n user do RCE. vuln versions are 0.211.0 to 1.120.3
• n8n is built on Node.js, uses JS for for platform internals and user workflow logic
• features are:
  • workflow execution engine that manages the node based workflow execution
  • expression evaluation system that processes dynamic expressions wrapped in {{ }} that are evaluated as JS code during workflow execution
  • code nodes that let users add custom JS or Python code as workflow steps
  • 400+ native integrations with various APIs and services that are the nodes in n8n
• the vuln is in the expression evaluation system that doesnt do proper sandboxing or input sanitizing/validation and just processes {{ }} expressions without proper context isolation leading to RCE by ANY authenticated user with the privilege of the n8n process
• example payload:

{{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })() }}

• breakdown (iS ThAt a fUcKiNg jOjOs rEfErEnCe?!?!?!):
  • this - refers to the global object in the Node.js context
  • process - node.js global object providing access to system processes
  • mainModule - root module of Node.js
  • require() - Node.js’s module loading function
  • child_process - a core node.js module for executing system commands
  • the rest is self explanatory :v
• this wouldnt happen if there was proper sandboxing since it would isolate the expression execution context from the node.js runtime env

exploitation

• provided creds for n8n user:

tryhackme@thm.local:Try12345!

• added these 2 nodes:
  
• edit feilds has this set inside:
  
• boom rce :D that simple
• flag.txtwas inside /home/node (where you already are)