AI Threat Alert AI Threat Alert

CVE-2025-57749: n8n: symlink traversal enables arbitrary file read/write

MEDIUM
Published August 20, 2025
CISO Take

Self-hosted n8n instances before 1.106.0 allow any authenticated workflow user to read or write arbitrary files on the host by chaining the Execute Command and Read/Write File nodes via symlinks. In AI pipeline contexts this directly exposes LLM API keys, RAG database credentials, and model configs stored on the host. Update to 1.106.0 immediately; if patching is not possible today, restrict Execute Command and Read/Write File node access to trusted users only and isolate n8n with minimal filesystem mounts.

Risk Assessment

CVSS 6.5 (Medium) understates operational risk for organizations running self-hosted n8n as an AI workflow orchestrator. Low complexity and low privilege requirements mean any authenticated workflow editor can exploit this without specialized knowledge. The attack surface expands significantly when the n8n host stores sensitive AI stack credentials—OpenAI/Anthropic API keys, vector DB passwords, database URIs—in local files or environment stores. n8n.cloud is explicitly unaffected; risk is isolated to self-hosted deployments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. Patch: Update n8n to version 1.106.0 or later immediately — this is the only complete fix.

  2. Access control: Restrict Execute Command and Read/Write File node usage to a minimum set of trusted users; audit current workflow permissions for unexpected access.

  3. Containment: Run n8n in a container with a minimal read-only filesystem bind mount; avoid mounting the host root or home directories.

  4. Secrets hygiene: Move all credentials (LLM API keys, DB passwords) out of local files and into a secrets manager (HashiCorp Vault, AWS Secrets Manager); ensure .env files are not present on the n8n host filesystem.

  5. Detection: Review n8n workflow execution logs for Execute Command node invocations creating symlinks (ln -s); alert on Read/Write File node operations resolving paths outside expected working directories.

  6. Verify exposure: Inventory what sensitive files exist on the n8n host filesystem that could be read by a low-privileged workflow user.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Agent Framework AML.T0037 AML.T0049 AML.T0053 AML.T0055 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation
NIST AI RMF
MANAGE 2.2 - Mechanisms to manage AI risks through technical controls
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-57749?

Self-hosted n8n instances before 1.106.0 allow any authenticated workflow user to read or write arbitrary files on the host by chaining the Execute Command and Read/Write File nodes via symlinks. In AI pipeline contexts this directly exposes LLM API keys, RAG database credentials, and model configs stored on the host. Update to 1.106.0 immediately; if patching is not possible today, restrict Execute Command and Read/Write File node access to trusted users only and isolate n8n with minimal filesystem mounts.

Is CVE-2025-57749 actively exploited?

No confirmed active exploitation of CVE-2025-57749 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-57749?

1. Patch: Update n8n to version 1.106.0 or later immediately — this is the only complete fix. 2. Access control: Restrict Execute Command and Read/Write File node usage to a minimum set of trusted users; audit current workflow permissions for unexpected access. 3. Containment: Run n8n in a container with a minimal read-only filesystem bind mount; avoid mounting the host root or home directories. 4. Secrets hygiene: Move all credentials (LLM API keys, DB passwords) out of local files and into a secrets manager (HashiCorp Vault, AWS Secrets Manager); ensure .env files are not present on the n8n host filesystem. 5. Detection: Review n8n workflow execution logs for Execute Command node invocations creating symlinks (ln -s); alert on Read/Write File node operations resolving paths outside expected working directories. 6. Verify exposure: Inventory what sensitive files exist on the n8n host filesystem that could be read by a low-privileged workflow user.

What systems are affected by CVE-2025-57749?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration pipelines, RAG pipelines, training pipelines, model serving.

What is the CVSS score for CVE-2025-57749?

CVE-2025-57749 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.

Exploitation Scenario

An attacker with low-privilege workflow editing access in a self-hosted n8n AI automation environment creates a new workflow. Using the Execute Command node, they run: `ln -s /home/appuser/.env /tmp/n8n-files/env_link` — creating a symlink from a permitted directory to the sensitive target. They then trigger the Read File node with the symlink path, which resolves the symlink and returns the contents of the restricted file, bypassing the intended directory check. The attacker captures OpenAI API keys, Anthropic API keys, Pinecone/Weaviate credentials, or database connection strings. These credentials then enable lateral movement into the broader AI infrastructure — compromising model inference APIs, poisoning vector databases, or incurring unbounded API costs. The entire exploit chain requires only standard n8n workflow nodes and a few minutes to execute.

Weaknesses (CWE)

CWE-59

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
August 20, 2025
Last Modified
September 3, 2025
First Seen
August 20, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed