CVE-2025-62726: n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook

October 30, 2025

A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution.

This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows.

All users with workflows that utilize the Git Node to clone untrusted repositories are affected.

References

github.com/advisories/GHSA-xgp7-7qjq-vg47
github.com/n8n-io/n8n
github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997
github.com/n8n-io/n8n/pull/19559
github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47
nvd.nist.gov/vuln/detail/CVE-2025-62726

Code Behaviors & Features

Detect and mitigate CVE-2025-62726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →