Hands-on with n8n Expression Injection - CVE 2025-68613
Hands-on with n8n Expression Injection – Sandbox Escape Case Study In this lab, I analyzed a critical expression injection flaw in n8n that allows authenticated workflow expressions to escape sandbox isolation and access the underlying Node.js runtime, resulting in potential Remote Code Execution (RCE) . Understanding the Execution Model n8n allows users to embed expressions inside workflow nodes (Set, IF, HTTP Request, etc.) to compute dynamic values at runtime. These expressions are evaluated server-side by a Node.js-based engine. When sandboxing assumptions fail, the execution flow becomes: Authenticated user → Workflow expression → Expression evaluation engine → Node.js runtime objects (process, require) → Sandbox escape → Potential RCE --- Architecture Overview High-Level Architecture User Browser n8n Web UI Expression Engine Node.js Runtime Understanding Payload St...