Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN754
_____________________________________________________________________

DATE                : 31/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running n8n versions prior to 1.113.0.

=====================================================================
https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47
_____________________________________________________________________


Remote Code Execution via Git Node Pre-Commit Hook
High
csuermann published GHSA-xgp7-7qjq-vg47 Oct 30, 2025

Package
n8n (npm)

Affected versions
< 1.113.0

Patched versions
1.113.0


Description

Impact

A remote code execution vulnerability exists in the Git Node component
available in both Cloud and Self-Hosted versions of n8n. When a
malicious actor clones a remote repository containing a pre-commit
hook, the subsequent use of the Commit operation in the Git Node can
inadvertently trigger the hook’s execution.

This allows attackers to execute arbitrary code within the n8n
environment, potentially compromising the system and any connected
credentials or workflows.

All users with workflows that utilize the Git Node to clone untrusted
repositories are affected.


Patches

The vulnerability was addressed in v1.113.0 (#19559), which introduces
a new environment variable: N8N_GIT_NODE_DISABLE_BARE_REPOS. For
self-hosted deployments, it is strongly recommended to set this
variable to true to mitigate the risk of executing malicious Git
hooks.


Workarounds

To reduce risk prior to upgrading:

    Avoid cloning or interacting with untrusted repositories using the
Git Node.
    Disable or restrict the use of the Git Node in workflows where
repository content cannot be fully trusted.


Severity
High
8.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-62726

Weaknesses
Weakness CWE-829


Credits

    @assaf-levkovich-jf assaf-levkovich-jf Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================