CVE-2025-62726: n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42737%
CWE
Published
10/30/2025
Updated
10/30/2025
KEV Status
No
Technology
JavaScript
JavaScriptTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| n8n | npm | < 1.113.0 | 1.113.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability exists in the Git node of n8n, where it was possible to execute arbitrary code via git hooks. The provided patch for CVE-2025-62726 shows that the execute method of the Git class in packages/nodes-base/nodes/Git/Git.node.ts was modified. The change involves adding a configuration to the simple-git library to disable bare repositories, which is the attack vector for the pre-commit hook execution. The execute function is the main function for the node's operation and is the place where the vulnerable call to the git library is made. Therefore, Git.execute is the vulnerable function that would appear in a runtime profile during exploitation.
Vulnerable functions
Git.executepackages/nodes-base/nodes/Git/Git.node.ts
The `execute` method in the `Git` node is vulnerable to remote code execution. It uses the `simple-git` library to perform git operations. Before the patch, it did not restrict the use of bare repositories, which could contain malicious pre-commit hooks. An attacker could create a repository with a malicious hook, and when a user clones this repository using the Git node, the hook would be executed on the n8n instance, leading to RCE. The patch introduces a check to disable bare repositories by adding `safe.bareRepository=explicit` to the git configuration, thus preventing the execution of such hooks.