Detect n8n Improper Control of Dynamically-Managed Code Resources (CVE-2025-68613) in Google Chronicle
Detects exploitation of CVE-2025-68613, a critical vulnerability in n8n workflow automation platform where improper control of dynamically-managed code resources (CWE-913) allows attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV). Attackers can abuse n8n's Code node or expression evaluation engine to break out of intended sandboxing and execute arbitrary system commands on the underlying host.
MITRE ATT&CK
- Tactic
- Execution Lateral Movement Impact
YARA-L Detection Query
rule cve_2025_68613_n8n_code_execution {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2025-68613 exploitation via n8n dynamic code resource abuse"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"
cve = "CVE-2025-68613"
events:
$parent.metadata.event_type = "PROCESS_LAUNCH"
$parent.principal.process.file.full_path = /(?i).*node(\.exe)?$/
$parent.principal.process.command_line = /(?i).*n8n.*/
$child.metadata.event_type = "PROCESS_LAUNCH"
$child.principal.process.parent_process.file.full_path = /(?i).*node(\.exe)?$/
(
$child.principal.process.file.full_path = /(?i).*(bash|sh|cmd\.exe|powershell|pwsh|wget|curl|python[23]?|perl|ruby|ncat|nc)$/
or $child.principal.process.command_line = /(?i).*(whoami|id\b|\/etc\/passwd|\/etc\/shadow|base64|chmod\s+\+x|net\s+user|certutil|bitsadmin).*/
)
$parent.principal.hostname = $child.principal.hostname
match:
$child.principal.hostname over 5m
outcome:
$risk_score = max(
if($child.principal.process.command_line = /(?i).*\/etc\/shadow.*/, 95,
if($child.principal.process.command_line = /(?i).*(base64|certutil|bitsadmin).*/, 85,
if($child.principal.process.file.full_path = /(?i).*(powershell|cmd\.exe).*/, 80, 70)))
)
$hostname = $child.principal.hostname
$username = $child.principal.user.userid
$child_process = $child.principal.process.file.full_path
$cmdline = $child.principal.process.command_line
condition:
$parent and $child
}Chronicle YARA-L rule correlating n8n parent process events with suspicious child process launches to detect active exploitation of CVE-2025-68613 across enterprise environments.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate n8n Execute Command nodes in authorized automation workflows
- n8n infrastructure automation that intentionally invokes shell interpreters
- Development n8n instances running integration tests with system calls
- Security orchestration platforms built on n8n triggering response scripts
Other platforms for CVE-2025-68613
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1n8n Code Node Shell Command Execution
Expected signal: Sysmon Event ID 1 showing node process spawning sh or bash child process with command arguments containing 'id', 'whoami', 'hostname'
- Test 2n8n Expression Evaluator File Write to Temp Directory
Expected signal: Sysmon Event ID 11 (FileCreate) showing node process creating a .sh file in /tmp, followed by Event ID 1 showing chmod +x execution
- Test 3n8n Code Node Reverse Shell Simulation (Netcat)
Expected signal: Sysmon Event ID 1 showing node.js spawning nc/ncat process with -e flag and IP/port arguments; Sysmon Event ID 3 showing network connection from node process to 127.0.0.1:4444
- Test 4n8n Credential Exfiltration Simulation via HTTP
Expected signal: Sysmon Event ID 1 showing node spawning bash then curl with base64-encoded data arguments; Sysmon Event ID 3 showing network connection from curl to external host on port 9999
Unlock Pro Content
Get the full detection package for CVE-2025-68613 including response playbook, investigation guide, and atomic red team tests.