Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-62726 PoC — n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook

Source
https://github.com/baktistr/CVE-2025-62726-POC---n8n-Git-Node-RCE
Associated Vulnerability
Title:n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook (CVE-2025-62726)
Description:n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.
Readme
# CVE-2025-62726 POC - n8n Git Node RCE

## Educational Purpose
This is a proof-of-concept demonstration for CVE-2025-62726, created for educational purposes as part of a class project.

## Vulnerability Overview

**CVE ID:** CVE-2025-62726
**Severity:** CVSS 8.8 (High)
**Affected Software:** n8n (workflow automation platform)
**Vulnerable Versions:** < 1.113.0
**Vulnerability Type:** Remote Code Execution (RCE) via Git Hooks
**CWE Classification:** CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)

## Technical Details

### How It Works

1. **Attack Vector:** Git pre-commit hooks in cloned repositories
2. **Trigger:** When n8n's Git Node performs a commit operation
3. **Execution:** Git automatically executes the pre-commit hook with n8n process privileges
4. **Impact:** Arbitrary code execution, credential theft, workflow manipulation

### Root Cause

n8n's Git Node fails to sanitize or isolate git hooks when cloning untrusted repositories. When a workflow:
- Clones a repository containing malicious `.git/hooks/pre-commit`
- Performs a commit operation
- Git automatically executes the hook script

### CVSS Vector
```
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
```
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality/Integrity/Availability: High

## Demo Structure

```
.
├── README.md (this file)
├── DEMO_GUIDE.md (step-by-step demonstration guide)
├── ATTACK_SCENARIOS.md (detailed attack vectors and scenarios)
├── PRESENTATION_OUTLINE.md (class presentation guide)
├── MITIGATION.md (security and mitigation details)
├── docker-compose.yml (vulnerable n8n setup)
├── malicious-repo/ (repository with malicious hook)
│   └── .git/hooks/pre-commit
├── n8n-workflow.json (demo workflow)
└── run-demo.sh (automated demo runner)
```

## Documentation

### 📚 Available Guides

1. **[DEMO_GUIDE.md](DEMO_GUIDE.md)** - Complete step-by-step demonstration instructions
2. **[ATTACK_SCENARIOS.md](ATTACK_SCENARIOS.md)** - Detailed attack vectors, exploitation techniques, and real-world scenarios
3. **[PRESENTATION_OUTLINE.md](PRESENTATION_OUTLINE.md)** - Complete 20-slide presentation for class
4. **[MITIGATION.md](MITIGATION.md)** - Comprehensive security, detection, and mitigation strategies

## Quick Start

### Prerequisites
- Docker and Docker Compose
- Git

### Automated Setup
```bash
./run-demo.sh
```

### Manual Setup

#### Step 1: Set up the malicious repository
```bash
cd malicious-repo
git init
```

### Step 2: Start vulnerable n8n instance
```bash
docker-compose up -d
```

### Step 3: Access n8n
- Open http://localhost:5678
- Create an account
- Import the workflow from `n8n-workflow.json`

### Step 4: Trigger the vulnerability
- Execute the workflow
- Observe the pre-commit hook execution

### Step 5: Check the results
```bash
docker-compose logs n8n
cat /tmp/pwned.txt  # Evidence file created by the hook
```

## Mitigation

### For Self-Hosted Users
Set environment variable:
```bash
N8N_GIT_NODE_DISABLE_BARE_REPOS=true
```

### General Recommendations
1. Upgrade to n8n version 1.113.0 or later
2. Disable Git Node if not needed
3. Only clone trusted repositories
4. Implement workflow access controls
5. Monitor for suspicious git operations

## References
- [CVE-2025-62726 Official Record](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-62726)
- [Wiz Vulnerability Database](https://www.wiz.io/vulnerability-database/cve/cve-2025-62726)
- [ZeroPath Technical Analysis](https://zeropath.com/blog/cve-2025-62726-n8n-git-node-rce-summary)

## Disclaimer
This POC is for educational purposes only. Only use this in controlled environments with proper authorization. Do not use this against systems you don't own or have explicit permission to test.
File Snapshot

 [4.0K]  /data/pocs/c62b8f86b40b18f91d54b41d146d3d7bd1e0b620
├── [ 30K]  ATTACK_FLOW_DIAGRAM.md
├── [ 22K]  ATTACK_SCENARIOS.md
├── [8.4K]  DEMO_GUIDE.md
├── [5.9K]  DIRECT_METHOD.md
├── [1.1K]  docker-compose.yml
├── [5.8K]  FINAL_SETUP.md
├── [4.0K]  malicious-repo
├── [6.1K]  MITIGATION.md
├── [4.3K]  n8n-workflow.json
├── [4.0K]  payloads
│   └── [ 109]  payload.sh
├── [9.5K]  PRESENTATION_OUTLINE.md
├── [7.4K]  QUICK_REFERENCE.md
├── [2.6K]  QUICK_REVSHELL.md
├── [3.8K]  README.md
├── [7.6K]  REALISTIC_WORKFLOW.md
├── [9.7K]  REMOTE_DEMO_STEPS.md
├── [ 19K]  REMOTE_PAYLOAD_SETUP.md
├── [ 10K]  REVERSE_SHELL_DEMO.md
├── [3.8K]  run-demo.sh
├── [ 16K]  SETUP_MALICIOUS_REPO.md
├── [ 724]  start-payload-server.sh
├── [7.8K]  verify-setup.sh
└── [4.9K]  WORKFLOW_FIXED.md

3 directories, 22 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →