CVE-2025-65964 | n8n | RCE
| Field | Details |
|---|---|
| Vulnerability | CVE-2025-65964 |
| Type | Inclusion of Functionality from Untrusted Control Sphere (CWE-829) / Remote Code Execution |
| Description | A vulnerability in n8n (versions 0.123.1 through 1.119.1) allows authenticated attackers to achieve Remote Code Execution (RCE) by manipulating Git configuration settings within the Git Node. The Add Config feature lacks adequate sanitization, permitting users to set core.hooksPath to a directory containing malicious scripts. |
| Affected Systems | n8n workflow automation platform, versions 0.123.1 through 1.119.1 (inclusive). Affects both self-hosted and cloud deployments where the Git Node is enabled. |
| Attack Vector | Network (Authenticated). The attacker requires access to the n8n web interface with permissions to create or modify workflows. |
| Exploit Mechanism | The attacker adds a Git Node to a workflow and uses the Add Config option to set core.hooksPath to a directory they control (e.g., /tmp or a cloned repository). They then trigger a Git operation (commit or clone), causing the Git binary to execute the malicious hook located in the specified path. |
| Impact of the Bug | Critical (CVSS 9.4). Successful exploitation grants the attacker arbitrary code execution on the host server with the privileges of the n8n process. This can lead to data exfiltration, credential theft, lateral movement, and full system compromise. |
| Detection Techniques | Monitor application logs for Git operations that set core.hooksPath. Analyze filesystem events for creation of executable files in unusual directories (e.g., /tmp or non-standard hidden folders). Use EDR solutions to flag git processes spawning unexpected child shells. |
| How to Detect if Exploited | Review n8n execution logs for the presence of core.hooksPath. Audit Git configuration files on the host for anomalous hook paths. Check for unexpected outbound network connections initiated by the n8n service account. |
| Mitigation Steps | Upgrade: Immediately upgrade to n8n version 1.119.2 or later. Disable Feature: Disable the Git Node if patching is not immediately possible. Access Control: Restrict workflow creation and modification to trusted administrators only. Network Segmentation: Isolate the n8n instance from sensitive internal networks until fully patched. |
| Workaround if Available | Exclude the Git Node from the list of available nodes in the n8n configuration. Avoid cloning or interacting with untrusted repositories using the Git Node feature. |