CVE-2025-62726: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62726 affects n8n, an open source workflow automation platform. The vulnerability was discovered and disclosed on October 30, 2025. A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n prior to version 1.113.0. The vulnerability allows malicious actors to execute arbitrary code within the n8n environment through pre-commit hooks when cloning untrusted repositories (GitHub Advisory, NVD).

When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook's execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-829: Inclusion of Functionality from Untrusted Control Sphere (GitHub Advisory).

This vulnerability allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. All users with workflows that utilize the Git Node to clone untrusted repositories are affected (GitHub Advisory).

The vulnerability was patched in version 1.113.0 with the introduction of a new environment variable N8N_GIT_NODE_DISABLE_BARE_REPOS. For self-hosted deployments, it is strongly recommended to set this variable to true. Prior to upgrading, users should avoid cloning or interacting with untrusted repositories using the Git Node and disable or restrict the use of the Git Node in workflows where repository content cannot be fully trusted (GitHub Advisory).