GHSA-wpqc-h9wp-chmq
n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
Details
### Impact
The n8n Git node allows workflows to set arbitrary Git configuration values through the _Add Config_ operation. When an attacker-controlled workflow sets `core.hooksPath` to a directory within the cloned repository containing a Git hook such as `pre-commit`, Git executes that hook during subsequent Git operations. Because Git hooks run as local system commands, this behavior can lead to **arbitrary command execution** on the underlying n8n host.
Successful exploitation requires the ability to create or modify an n8n workflow that uses the Git node.
Affected versions: **≥ 0.123.1 and < 1.119.2**
### Patches
This issue has been patched in **n8n version 1.119.2**.
All users running affected versions should upgrade to **1.119.2 or later**.
### Workarounds
If upgrading is not immediately possible, the following mitigations can reduce exposure:
- Exclude the Git node ([Docs](https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes)). - Avoid cloning or interacting with untrusted repositories using the Git Node.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-65964 [ADVISORY]
- https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04 [WEB]
- https://github.com/n8n-io/n8n [PACKAGE]
- https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2 [WEB]
- https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes [WEB]