n8n Code Injection Vulnerability Exploited in Wild - Low-Code Automation Platform Targeted

CVE-2025-68613 represents a critical control failure in n8n's handling of dynamically-managed code resources. Low-code/no-code platforms like n8n are attractive targets because they often execute code with elevated privileges and have broad system access for workflow orchestration. The vulnerability allows improper control of code execution paths, likely through insufficient input validation or unsafe code evaluation mechanisms.

The fact that CISA has added this to the Known Exploited Vulnerabilities Catalog indicates confirmed, active exploitation in the wild—not theoretical or sporadic attacks. This elevates urgency significantly. Threat actors are actively weaponizing this vulnerability, making it a priority for any organization running n8n in production environments.

From a technical perspective, improper control of dynamically-managed code resources typically stems from inadequate sandboxing, unsafe use of functions like eval(), or insufficient validation of user-supplied expressions/scripts. In workflow automation contexts, this could manifest as code injection through workflow definitions, variable interpolation, or custom JavaScript/Python blocks.

Organizations using n8n must immediately: (1) patch to the latest patched version; (2) audit existing workflows for suspicious code patterns; (3) implement network segmentation to limit n8n's access; (4) monitor execution logs for anomalous activity; (5) review audit trails for signs of compromise. Federal agencies face explicit BOD 22-01 remediation deadlines.

This incident underscores a broader pattern: low-code platforms are increasingly targeted because they abstract complexity while maintaining dangerous capabilities. The intersection of ease-of-use and code execution creates a security paradox that organizations must navigate carefully through proper access controls, sandboxing, and monitoring.