n8n CVE-2025-68613 Internet Scanner

A Tkinter-based GUI tool to discover publicly exposed n8n instances via Shodan and test them for exposure to CVE‑2025‑68613 across a wide version range.

The scanner:

• Queries Shodan with multiple fingerprints (title, HTML markers, favicons, cloud orgs) to find likely n8n hosts on common ports (e.g. 5678).
• Connects to candidates and probes key endpoints: /, /login, /workflow, /rest/healthz.
• Attempts to extract the running n8n version from HTML / JS using several heuristics.
• Classifies each host as VULNERABLE, SAFE, UNKNOWN, or FAILED based on version and connectivity.
• Stores all results in a local SQLite database and offers CSV export.

⚠️ Legal notice
This tool is intended for security research, education, and testing of systems that you own or are explicitly authorised to test.
Scanning random hosts on the internet may violate laws or terms of service in your jurisdiction.
Use responsibly and at your own risk.

---

Features

• GUI frontend built with Tkinter (no CLI arguments needed).
• Shodan integration with many tailored queries (title, favicon hashes, HTML signatures, cloud provider filters, etc.).
• Concurrent scanning using ThreadPoolExecutor and worker queues for high throughput.
• Endpoint dashboard:
  • Shows discovered instances (IP, country, version, vulnerable YES/NO).
  • Detailed results table: time, IP:Port, version, status, endpoints, country.
• Robust state tracking: discovered / tested / vulnerable / failed counters with live updates.
• SQLite backend (n8n_results.db) storing hosts and per-scan test results.
• CSV export of all scan results for offline analysis.

---

Installation

Prerequisites

• Python 3.9+ (tested with 3.10).[
• A Shodan account and a valid browser cookie for www.shodan.io (polito cookie).[file:23]
• Network connectivity that allows outbound HTTP to potential n8n hosts (typically port 5678).

Clone the repository and run the interface

• https://github.com/manyaigdtuw/CVE-2025-68613_Scanner.git
• python n8n_Scanner_cve68613.py

Scan controls (left panel)

• Mode
  • Shodan: search internet-facing hosts using Shodan queries.
  • Scan IP range: reserved for future work (currently uses Shodan-style producer logic; keep Shodan selected)
• Threads: number of parallel consumer workers (default: 20).
• Shodan Cookie: paste your polito cookie value from browser dev tools (Domain: www.shodan.io).

Then press Start Scan. To stop scanning, press Stop; the tool will finish processing in-flight tasks and update the stats.

Understanding statuses

Per host, the “Status” column can be:

• VULNERABLE – version falls within the CVE‑2025‑68613 range (≥ 0.211.0 and < 1.122.0).
• SAFE – version successfully parsed but is outside the vulnerable window.
• UNKNOWN – host responded but version could not be reliably extracted from HTML/JS.
• FAILED – scanner could not reach the host at all (TCP refused / timed out / other error).

The “Endpoints” summary shows a compact view of the first few endpoints and their HTTP status codes, e.g.:

/:200; /login:200; /workflow:200.

Database and export

• Results are stored in n8n_results.db with two tables
  • n8n_hosts: one row per IP, with last-seen attributes.
  • n8n_test_results: per-test results including status and endpoints JSON.[file:23]
• Click Export Results to write all results to a CSV file of your choice, including timestamps, IP, port, country, version, status, vulnerable flag, and raw endpoints JSON.[file:23]

---

Configuration details

Key constants at the top of the script (class N8nScanner.__init__) control behaviour:

• BASE_URL, FACET_URL: Shodan search endpoints.
• DEFAULT_PORT: default n8n port (5678).
• CONNECTION_TIMEOUT: HTTP timeout in seconds (default 15).
• MAX_WORKERS: number of consumer threads.
• VULN_MIN_VERSION, VULN_MAX_VERSION: version bounds for CVE‑2025‑68613.
• max_debug_html: how many HTML snapshots to save for debugging

Shodan queries include favicon hashes, HTML signatures, cloud provider filters, and n8n-specific strings to improve hit rate.

---