Denial of Service Flaw in n8n Workflow Automation Platform
CVE-2025-49595

4.9MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-49595?

The n8n workflow automation platform has a vulnerability in the /rest/binary-data endpoint, affecting versions before 1.99.0. This flaw allows authenticated users to execute denial of service attacks by submitting malformed filesystem URIs (specifically filesystem:// or filesystem-v2://), leading to resource exhaustion and consequently causing the service to become unavailable. Users experiencing this issue may encounter HTTP/2 524 timeout errors, impacting both self-hosted and n8n.cloud instances. Mitigation has been provided in version 1.99.0, requiring users to update to ensure continued service reliability.

Affected Version(s)

n8n < 1.99.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-pr...

x_refsource_CONFIRM

https://github.com/n8n-io/n8n/pull/16229

x_refsource_MISC

https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Jun 6, 2025

N8n-io

What is CVE-2025-49595?

Affected Version(s)

References

CVSS V3.1

Timeline