Login Sign Up

CVE-2025-65964

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution (RCE) in n8n workflow automation platform by exploiting Git pre-commit hooks. Attackers who can create or modify workflows using the Git node can set malicious Git configurations that execute arbitrary commands on the n8n host. All n8n instances running affected versions with Git node functionality are at risk.

💻 Affected Systems

Products:
  • n8n
Versions: 0.123.1 through 1.119.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Git node functionality to be available and accessible to attackers who can create/modify workflows.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the n8n host with attacker gaining shell access, data exfiltration, lateral movement within the network, and persistence establishment.

🟠

Likely Case

Unauthorized code execution leading to workflow manipulation, credential theft from n8n, and potential access to connected systems via n8n integrations.

🟢

If Mitigated

Limited impact with proper network segmentation and restricted workflow permissions, potentially only affecting isolated n8n instance.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to create/modify workflows but the attack chain is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.119.2

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq

Restart Required: Yes

Instructions:

1. Backup n8n data and workflows. 2. Update n8n to version 1.119.2 or later using your deployment method (Docker, npm, etc.). 3. Restart n8n service. 4. Verify version is updated.

🔧 Temporary Workarounds

Exclude Git Node

all

Disable the Git node functionality entirely to prevent exploitation

Configure N8N_BLOCKED_NODES environment variable to include 'n8n-nodes-base.git'

Restrict Workflow Permissions

all

Limit who can create or modify workflows using Git nodes

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from creating or modifying workflows
  • Network segment n8n instances and restrict outbound connections to minimize impact if compromised

🔍 How to Verify

Check if Vulnerable:

Check n8n version via web interface or API endpoint /rest/healthz

Check Version:

curl -s http://n8n-host:5678/rest/healthz | grep version

Verify Fix Applied:

Confirm version is 1.119.2 or higher and test Git node functionality with safe configurations

📡 Detection & Monitoring

Log Indicators:

  • Unusual Git configuration changes in workflow logs
  • Suspicious commands in n8n execution logs
  • Multiple failed Git operations followed by successful ones

Network Indicators:

  • Unexpected outbound connections from n8n host
  • Downloads from unusual Git repositories

SIEM Query:

source="n8n" AND ("core.hooksPath" OR "git config" OR "pre-commit")

📊 Metadata

CVE ID: CVE-2025-65964
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-829
EPSS Score: 0.03% exploit probability (6.3th percentile)
Published: December 9, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65964, you might also want to check these:

CVE-2026-1699 10.0

This CVE describes a critical GitHub Actions vulnerability in Eclipse Theia's website repository whe...

Same vulnerability type (CWE-829)
CVE-2022-1161 10.0

This vulnerability allows attackers with program modification access to alter user program code on R...

Same vulnerability type (CWE-829)
CVE-2025-0982 10.0

A sandbox escape vulnerability in Google Cloud Application Integration's JavaScript Task feature all...

Same vulnerability type (CWE-829)