AI Threat Alert
CVE-2025-65964
HIGHAny n8n instance running versions 0.123.1–1.119.2 with the Git node enabled is vulnerable to full remote code execution by any user who can create or edit workflows — patch to 1.119.2 immediately. In AI agent environments, n8n often holds API keys for LLMs, databases, and SaaS integrations, making RCE catastrophically impactful beyond just the host. If you cannot patch today, disable the Git node via the node exclusion config and audit recent workflow changes.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade to n8n 1.119.2 immediately — this is the only full fix. 2. WORKAROUND (if patching is blocked): Exclude the Git node in n8n configuration using `nodes.exclude` in `config/default.json` or equivalent environment variable — reference: https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes. 3. AUDIT: Review recent workflow changes (last 30–90 days) for any workflows using the Git node's Add Config operation, specifically checking for modifications to `core.hooksPath`. 4. REVOKE: Rotate all credentials stored in n8n environment variables and workflow credentials store if exploitation cannot be ruled out. 5. DETECT: Alert on Git processes spawning unusual child processes from the n8n service account; monitor for `.git/hooks/` writes or `core.hooksPath` configuration in Git repos accessible by n8n. 6. RESTRICT: Limit workflow creation/edit permissions to a minimal set of trusted principals until patching is confirmed.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.
Exploitation Scenario
An adversary with n8n workflow editor access (compromised user account, insider, or via a credential stuffing attack against a publicly exposed n8n instance) creates a new workflow using the Git node. In the workflow, they invoke the 'Add Config' operation to set `core.hooksPath` to a path they control — either a directory in the repository or a writable system path. They populate that directory with a `pre-commit` or `post-checkout` shell script containing a reverse shell or credential exfiltration payload. The workflow then triggers any subsequent Git operation (clone, pull, commit) against any repository. The malicious hook fires with the n8n process privileges, executing arbitrary commands on the host. The attacker extracts n8n's environment variables (LLM API keys, database URLs, Stripe/webhook secrets), pivots into connected AI infrastructure, or deploys a persistent backdoor. The entire chain requires no privileged access — only workflow edit rights.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H