CVE-2025-65964

HIGH

n8n 0.123.1-1.119.1 - Remote Code Execution via Git Hook Path Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2025-65964. PoCs published by Syzygy-K, nn0nkey, Pinus97.

AI-analyzed exploit summary This PoC exploits CVE-2025-65964 in n8n by manipulating Git hooks to achieve remote code execution. It demonstrates how an attacker can clone a malicious repository, modify Git configurations, and trigger arbitrary command execution via a crafted pre-commit hook.

Description

n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.

Exploits (6)

nomisec WORKING POC 4 stars
by Syzygy-K · poc
https://github.com/Syzygy-K/CVE-2025-65964-Exploit

This PoC exploits CVE-2025-65964 in n8n by manipulating Git hooks to achieve remote code execution. It demonstrates how an attacker can clone a malicious repository, modify Git configurations, and trigger arbitrary command execution via a crafted pre-commit hook.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: n8n versions 0.123.1 to 1.119.2 (excluding 1.119.2)
No auth needed
Prerequisites: Access to a vulnerable n8n instance · Ability to create a malicious Git repository · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by nn0nkey · poc
https://github.com/nn0nkey/repo

The repository contains only a README.md file with a title claiming to be a 'Malicious Repo for CVE-2025-65964' but no actual exploit code or technical details. This appears to be a placeholder or stub.

Classification
Stub 10%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Saboor-Hakimi-23 · poc
https://github.com/Saboor-Hakimi-23/CVE-2025-65964

This repository is a CTF demonstration explaining how Git hooks can be misused via `core.hooksPath` to achieve command execution in an automation platform like n8n. It describes a scenario where an attacker-controlled workflow sets a malicious Git configuration to execute hooks from a repository directory.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: n8n (version not specified)
Auth required
Prerequisites: Ability to control a workflow in n8n · Permission to execute `git config` commands
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Anthony558238 · poc
https://github.com/Anthony558238/CVE-2025-65964-poc

The repository contains only a README.md file with minimal information, lacking any actual exploit code or technical details. It appears to be a placeholder or incomplete submission.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0003
EPSS Percentile 10.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-829
Status published
Products (2)
n8n/n8n 0.123.1 - 1.119.2
npm/n8n 0.123.1 - 1.119.2npm
Published Dec 09, 2025
Tracked Since Feb 18, 2026