支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: c62b8f86b40b18f91d54b41d146d3d7bd1e0b620

来源
https://github.com/baktistr/CVE-2025-62726-POC---n8n-Git-Node-RCE
关联漏洞
标题:n8n 安全漏洞 (CVE-2025-62726)
描述:n8n是n8n开源的一个可扩展的工作流自动化工具。 n8n 1.113.0之前版本存在安全漏洞,该漏洞源于Git Node组件克隆包含预提交钩子的远程仓库时触发执行,可能导致远程代码执行。
介绍
# CVE-2025-62726 POC - n8n Git Node RCE

## Educational Purpose
This is a proof-of-concept demonstration for CVE-2025-62726, created for educational purposes as part of a class project.

## Vulnerability Overview

**CVE ID:** CVE-2025-62726
**Severity:** CVSS 8.8 (High)
**Affected Software:** n8n (workflow automation platform)
**Vulnerable Versions:** < 1.113.0
**Vulnerability Type:** Remote Code Execution (RCE) via Git Hooks
**CWE Classification:** CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)

## Technical Details

### How It Works

1. **Attack Vector:** Git pre-commit hooks in cloned repositories
2. **Trigger:** When n8n's Git Node performs a commit operation
3. **Execution:** Git automatically executes the pre-commit hook with n8n process privileges
4. **Impact:** Arbitrary code execution, credential theft, workflow manipulation

### Root Cause

n8n's Git Node fails to sanitize or isolate git hooks when cloning untrusted repositories. When a workflow:
- Clones a repository containing malicious `.git/hooks/pre-commit`
- Performs a commit operation
- Git automatically executes the hook script

### CVSS Vector
```
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
```
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality/Integrity/Availability: High

## Demo Structure

```
.
├── README.md (this file)
├── DEMO_GUIDE.md (step-by-step demonstration guide)
├── ATTACK_SCENARIOS.md (detailed attack vectors and scenarios)
├── PRESENTATION_OUTLINE.md (class presentation guide)
├── MITIGATION.md (security and mitigation details)
├── docker-compose.yml (vulnerable n8n setup)
├── malicious-repo/ (repository with malicious hook)
│   └── .git/hooks/pre-commit
├── n8n-workflow.json (demo workflow)
└── run-demo.sh (automated demo runner)
```

## Documentation

### 📚 Available Guides

1. **[DEMO_GUIDE.md](DEMO_GUIDE.md)** - Complete step-by-step demonstration instructions
2. **[ATTACK_SCENARIOS.md](ATTACK_SCENARIOS.md)** - Detailed attack vectors, exploitation techniques, and real-world scenarios
3. **[PRESENTATION_OUTLINE.md](PRESENTATION_OUTLINE.md)** - Complete 20-slide presentation for class
4. **[MITIGATION.md](MITIGATION.md)** - Comprehensive security, detection, and mitigation strategies

## Quick Start

### Prerequisites
- Docker and Docker Compose
- Git

### Automated Setup
```bash
./run-demo.sh
```

### Manual Setup

#### Step 1: Set up the malicious repository
```bash
cd malicious-repo
git init
```

### Step 2: Start vulnerable n8n instance
```bash
docker-compose up -d
```

### Step 3: Access n8n
- Open http://localhost:5678
- Create an account
- Import the workflow from `n8n-workflow.json`

### Step 4: Trigger the vulnerability
- Execute the workflow
- Observe the pre-commit hook execution

### Step 5: Check the results
```bash
docker-compose logs n8n
cat /tmp/pwned.txt  # Evidence file created by the hook
```

## Mitigation

### For Self-Hosted Users
Set environment variable:
```bash
N8N_GIT_NODE_DISABLE_BARE_REPOS=true
```

### General Recommendations
1. Upgrade to n8n version 1.113.0 or later
2. Disable Git Node if not needed
3. Only clone trusted repositories
4. Implement workflow access controls
5. Monitor for suspicious git operations

## References
- [CVE-2025-62726 Official Record](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-62726)
- [Wiz Vulnerability Database](https://www.wiz.io/vulnerability-database/cve/cve-2025-62726)
- [ZeroPath Technical Analysis](https://zeropath.com/blog/cve-2025-62726-n8n-git-node-rce-summary)

## Disclaimer
This POC is for educational purposes only. Only use this in controlled environments with proper authorization. Do not use this against systems you don't own or have explicit permission to test.
文件快照

 [4.0K]  /data/pocs/c62b8f86b40b18f91d54b41d146d3d7bd1e0b620
├── [ 30K]  ATTACK_FLOW_DIAGRAM.md
├── [ 22K]  ATTACK_SCENARIOS.md
├── [8.4K]  DEMO_GUIDE.md
├── [5.9K]  DIRECT_METHOD.md
├── [1.1K]  docker-compose.yml
├── [5.8K]  FINAL_SETUP.md
├── [4.0K]  malicious-repo
├── [6.1K]  MITIGATION.md
├── [4.3K]  n8n-workflow.json
├── [4.0K]  payloads
│   └── [ 109]  payload.sh
├── [9.5K]  PRESENTATION_OUTLINE.md
├── [7.4K]  QUICK_REFERENCE.md
├── [2.6K]  QUICK_REVSHELL.md
├── [3.8K]  README.md
├── [7.6K]  REALISTIC_WORKFLOW.md
├── [9.7K]  REMOTE_DEMO_STEPS.md
├── [ 19K]  REMOTE_PAYLOAD_SETUP.md
├── [ 10K]  REVERSE_SHELL_DEMO.md
├── [3.8K]  run-demo.sh
├── [ 16K]  SETUP_MALICIOUS_REPO.md
├── [ 724]  start-payload-server.sh
├── [7.8K]  verify-setup.sh
└── [4.9K]  WORKFLOW_FIXED.md

3 directories, 22 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。