Breaking Down the n8n Git Node Vulnerability: CVE-2026-25053 (Remote Code Execution)

What it is: A vulnerability in the Git node that allows execution of system commands or arbitrary file access.

Impact: Authenticated users with workflow permissions can execute commands on the n8n host or read sensitive files.

Fix: This issue was addressed in n8n versions 1.123.10 and 2.5.0. Users are strongly encouraged to upgrade to these or later releases to mitigate the vulnerability.

CVE: CVE-2026-25053
GHSA: GHSA-9g95-qf3f-ggrw
CVSS Score: 9.4 (Critical)

Note: n8n combined all the vulnerabilities discussed in this post into a single CVE (CVE-2026-25053) and GHSA advisory. This CVE covers the entire security hardening journey, including the Windows path separator bypass, TOCTOU vulnerabilities, config key injection, and other Git node security issues.

November 9, 2025

/2025/11/09/Breaking-Down-the-n8n-Git-Node-Vulnerability-CVE-2026-25053-Remote-Code-Execution/ Yadhu Krishna M

SupplyShield: Open-Source Framework for Securing Software Supply Chains at Scale

Today, we’re excited to announce the open-source release of SupplyShield, an application security orchestration framework designed to secure software supply chains end-to-end. SupplyShield addresses the critical gap between running security scanners and actually operationalizing their results at scale.

November 9, 2025

/2025/11/09/SupplyShield-Open-Source-Framework-for-Securing-Software-Supply-Chains-at-Scale/ Yadhu Krishna M

Exploiting HTTP Request Smuggling in Node.js and Gunicorn

In this blog post, we discuss two vulnerabilities that were identified during my research on HTTP Request Smuggling:

Node.js - CVE-2023-30589
Gunicorn - CVE-2024-1135

May 11, 2024

/2024/05/11/Exploiting-HTTP-Request-Smuggling-in-Node.js-and-Gunicorn/ Yadhu Krishna M

Web Exploitation

PyCGI: From Nginx Path-Traversal to RCE; bi0s CTF 2022

This year I contributed 2 challenges to bi0s CTF (formerly InCTF Internationals).

EmoLocker (Server-Side)
PyCGI (Client-Side)

In this post, we discuss the intended solution to PyCGI challenge. The source code of this challenge can be downloaded from here.

# Analysis

We are provided with 2 attachments for this challenge:

Dockerfile
Nginx.conf

Looking into the Nginx configuration, we can find that there is a potential path traversal in the /static endpoint. You can read more about this here.

January 19, 2023

/2023/01/19/PyCGI-From-Nginx-Path-Traversal-to-RCE-bi0s-CTF-2022/ Yadhu Krishna M

Web Exploitation

Unlocking the EmoLocker: bi0s CTF 2022 - Author’s Writeup

In this post, we discuss the solution to EmoLocker challenge from bi0s CTF 2022. The source code of this challenge can be downloaded from here.

# Analysis

Upon opening the challenge link, we are presented with a lockscreen that uses emojis instead of numbers. The page has two features: register and login. Additionally, there is an admin bot, which suggests that the challenge may involve client-side concepts.

January 19, 2023

/2023/01/19/Unlocking-the-EmoLocker-bi0s-CTF-2022-Authors-Writeup/ Yadhu Krishna M

Web Exploitation