CVE-2025-62726

HIGH

Published October 30, 2025

CISO Take

Any n8n instance below 1.113.0 is a credential dump waiting to happen. An attacker with a low-privilege n8n account can host a malicious git repo with a poisoned pre-commit hook, trigger RCE the moment any workflow runs a Commit operation, and walk away with every API key, OAuth token, and database password stored in your automation platform. Patch to 1.113.0 immediately — if you cannot, rotate all n8n-stored credentials now and disable Git Node access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. IMMEDIATE: Upgrade n8n to 1.113.0 or later — the only complete fix. 2. DETECT: Audit all workflows for Git Node usage; flag any that clone external or user-supplied repositories. 3. RESTRICT: Treat Git Node access as a privileged operation — limit who can create or modify workflows containing Git Nodes. 4. ROTATE: If patching is delayed, proactively rotate all credentials stored in n8n (API keys, OAuth tokens, DB passwords). 5. ISOLATE: Ensure n8n runs in a container with minimal host permissions, network egress restrictions, and no direct mount of sensitive host paths. 6. MONITOR: Alert on unexpected outbound connections and process spawning from the n8n process — a reverse shell will be the typical payload.

Classification

Code Execution Supply Chain Data Extraction Agent Framework Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI supply chain security A.7.4 - Protection of AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.

Exploitation Scenario

Attacker registers a low-privilege account on a shared n8n instance (or compromises one via credential stuffing). They create a workflow that clones a GitHub repository they control — the repo contains a .git/hooks/pre-commit script with a reverse shell payload. The workflow is saved and triggered on a schedule or by a webhook. When n8n's Git Node executes the Commit operation against the cloned repository, the pre-commit hook fires inside n8n's runtime. The attacker receives a reverse shell, dumps n8n's encrypted credential store, and pivots to every API, database, and cloud service the automation platform touches — including any connected LLM providers, vector databases, or internal AI tools.

Weaknesses (CWE)

CWE-829

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997
Patch
github.com/n8n-io/n8n/pull/19559
Issue
github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47
Patch Vendor

Timeline

Published

October 30, 2025

Last Modified

December 31, 2025

First Seen

October 30, 2025

Back to Threat Feed