CVE-2025-62726
Published: 30 October 2025
Summary
CVE-2025-62726 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in N8N N8N. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the specific RCE flaw in n8n's Git Node that executes malicious pre-commit hooks, as fixed in version 1.113.0.
Deploys malicious code protection mechanisms to scan cloned Git repositories and block execution of malicious pre-commit hooks within the n8n environment.
Conducts vulnerability scanning to identify the presence of CVE-2025-62726 in n8n Git Node, enabling prompt detection and remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution by exploiting insecure execution of untrusted pre-commit hooks from remote Git repositories in the public-facing n8n workflow platform's Git Node.
NVD Description
n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing…
more
a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
Deeper analysisAI
CVE-2025-62726 is a remote code execution vulnerability (CWE-829) in the Git Node component of n8n, an open source workflow automation platform. It affects both Cloud and Self-Hosted versions prior to 1.113.0. The flaw occurs when the Git Node clones a remote repository containing a malicious pre-commit hook, and a subsequent Commit operation triggers execution of that hook, allowing arbitrary code to run within the n8n environment.
Attackers with low privileges, such as authenticated users (PR:L), can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). By hosting a malicious Git repository with a pre-commit hook, an attacker can entice a victim to clone it via the Git Node and then perform a commit, resulting in arbitrary code execution. This grants high confidentiality, integrity, and availability impact (CVSS 8.8), potentially compromising the n8n system, connected credentials, and workflows.
The vulnerability is addressed in n8n version 1.113.0. Mitigation details are available in the GitHub security advisory (GHSA-xgp7-7qjq-vg47), the fixing pull request (n8n-io/n8n/pull/19559), and the associated commit (n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997).
Details
- CWE(s)