AI Threat Alert
CVE-2025-49595: n8n: DoS via empty filesystem URI in binary-data API
MEDIUM PoC AVAILABLEIf your AI automation stack uses n8n (self-hosted or n8n.cloud), patch to v1.99.0 immediately — the fix is available and the attack is trivial to execute. Although high privileges are required, any authenticated user or compromised service account can trigger resource exhaustion on /rest/binary-data with a single malformed GET request, taking down all workflows on the instance. In AI agent pipelines, this translates to complete loss of automation capability — no remediation path without a restart.
Risk Assessment
Effective risk is moderate-to-high in production AI environments despite the medium CVSS score. The high-privilege requirement (CVSS PR:H) is the only real barrier — once an attacker has any authenticated n8n session (insider, compromised token, stolen cookie), exploitation is trivially reproducible with no special tooling. n8n.cloud confirmed vulnerable with observable HTTP/2 524 timeout signatures, meaning this is detectable but not preventable without patching. Organizations running n8n as the backbone of their AI agent orchestration have a single point of failure here.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
PATCH
Upgrade to n8n v1.99.0 — this is the only complete fix.
-
IMMEDIATE WORKAROUND
If patching is delayed, add a reverse-proxy rule (nginx/Caddy) blocking GET requests to /rest/binary-data where the query parameter contains 'filesystem://' or 'filesystem-v2://' with no subsequent path.
-
RATE LIMIT
Apply per-user rate limiting on the /rest/binary-data endpoint to limit blast radius from a single compromised account.
-
DETECTION
Alert on HTTP 524 responses from n8n endpoints; query logs for GET /rest/binary-data with URI-encoded 'filesystem://' patterns.
-
AUDIT
Review n8n API tokens and service accounts — rotate any that are broadly shared, as the attack requires valid credentials.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-49595?
If your AI automation stack uses n8n (self-hosted or n8n.cloud), patch to v1.99.0 immediately — the fix is available and the attack is trivial to execute. Although high privileges are required, any authenticated user or compromised service account can trigger resource exhaustion on /rest/binary-data with a single malformed GET request, taking down all workflows on the instance. In AI agent pipelines, this translates to complete loss of automation capability — no remediation path without a restart.
Is CVE-2025-49595 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-49595, increasing the risk of exploitation.
How to fix CVE-2025-49595?
1. PATCH: Upgrade to n8n v1.99.0 — this is the only complete fix. 2. IMMEDIATE WORKAROUND: If patching is delayed, add a reverse-proxy rule (nginx/Caddy) blocking GET requests to /rest/binary-data where the query parameter contains 'filesystem://' or 'filesystem-v2://' with no subsequent path. 3. RATE LIMIT: Apply per-user rate limiting on the /rest/binary-data endpoint to limit blast radius from a single compromised account. 4. DETECTION: Alert on HTTP 524 responses from n8n endpoints; query logs for GET /rest/binary-data with URI-encoded 'filesystem://' patterns. 5. AUDIT: Review n8n API tokens and service accounts — rotate any that are broadly shared, as the attack requires valid credentials.
What systems are affected by CVE-2025-49595?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, workflow automation pipelines, RAG pipelines, LLM orchestration layers, multi-agent systems.
What is the CVSS score for CVE-2025-49595?
CVE-2025-49595 has a CVSS v3.1 base score of 4.9 (MEDIUM). The EPSS exploitation probability is 0.29%.
Technical Details
NVD Description
n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.
Exploitation Scenario
A disgruntled DevOps engineer or a threat actor who has phished an n8n service account token sends a loop of GET requests to https://<n8n-instance>/rest/binary-data?id=filesystem:// — the empty URI causes the binary data handler to enter a blocking resource-exhaustion state. Within seconds, the n8n worker pool is saturated, all executing AI workflows (LLM calls, RAG retrievals, agent tool invocations) time out, and the instance returns 524 errors to all users. The attacker needs no knowledge of AI systems — this is a standard API abuse pattern. On n8n.cloud, the attack signature is identical and has been confirmed to produce observable HTTP/2 524 responses.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33663 10.0 n8n: member role steals plaintext HTTP credentials
Same package: n8n CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same package: n8n CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same package: n8n CVE-2026-27495 9.9 n8n: Code Injection enables RCE
Same package: n8n CVE-2026-27577 9.9 n8n: Code Injection enables RCE
Same package: n8n