Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 4.9 npm

n8n Vulnerable to Denial of Service via Malformed Binary Data Requests

GHSA-pr9r-gxgp-9rm8 · CVE-2025-49595

Published · Modified

Description

Summary

Denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://).

Impact

This is a Denial of Service (DoS) vulnerability that allows authenticated attackers to cause service unavailability through malformed filesystem URI requests. The vulnerability affects:

  • The /rest/binary-data endpoint
  • n8n.cloud instances (confirmed HTTP/2 524 timeout responses)

Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption.

Patches

The issue has been patched in 1.99.0.
All users should upgrade to this version or later.

The fix introduces strict checking of URI patterns.

Patch commit: https://github.com/n8n-io/n8n/pull/16229

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes