CVE-2025-68949
n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
Description
## Impact The Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. ## Patches This issue has been patched in version 2.2.0. Users are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching. ## Workarounds Users unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include: - Adding authentication mechanisms such as shared secrets, HMAC signatures, or API keys. - Avoiding short or prefix-based whitelist entries. - Enforcing IP filtering at the network layer (for example, via reverse proxies or firewalls).
How to fix CVE-2025-68949
To remediate CVE-2025-68949, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.0 or later
Is CVE-2025-68949 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.36.0, < 2.2.0