GHSA-xgp7-7qjq-vg47
Vulnerability from github
Published
2025-10-30 17:04
Modified
2025-10-30 19:54
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
Details

Impact

A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution.

This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows.

All users with workflows that utilize the Git Node to clone untrusted repositories are affected.

Patches

The vulnerability was addressed in v1.113.0 (n8n-io/n8n#19559), which introduces a new environment variable: N8N_GIT_NODE_DISABLE_BARE_REPOS. For self-hosted deployments, it is strongly recommended to set this variable to true to mitigate the risk of executing malicious Git hooks.

Workarounds

To reduce risk prior to upgrading:

  • Avoid cloning or interacting with untrusted repositories using the Git Node.
  • Disable or restrict the use of the Git Node in workflows where repository content cannot be fully trusted.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.113.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-30T17:04:26Z",
    "nvd_published_at": "2025-10-30T17:15:39Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook\u2019s execution.\n\nThis allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows.\n\nAll users with workflows that utilize the Git Node to clone untrusted repositories are affected.\n\n### Patches\nThe vulnerability was addressed in v1.113.0 (n8n-io/n8n#19559), which introduces a new environment variable: `N8N_GIT_NODE_DISABLE_BARE_REPOS`. For self-hosted deployments, it is strongly recommended to set this variable to `true` to mitigate the risk of executing malicious Git hooks.\n\n### Workarounds\nTo reduce risk prior to upgrading:\n\n- Avoid cloning or interacting with untrusted repositories using the Git Node.\n- Disable or restrict the use of the Git Node in workflows where repository content cannot be fully trusted.",
  "id": "GHSA-xgp7-7qjq-vg47",
  "modified": "2025-10-30T19:54:37Z",
  "published": "2025-10-30T17:04:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/pull/19559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.