n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
Description
n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
n8nnpm | < 1.99.0 | 1.99.0 |
Affected products
1Patches
143c52a8b4f84fix(core): Prevent DoS via malformed binary data ID (#16229)
2 files changed · +32 −5
packages/cli/src/controllers/binary-data.controller.ts+12 −3 modified@@ -47,14 +47,23 @@ export class BinaryDataController { throw new BadRequestError('Missing binary data ID'); } - if (!binaryDataId.includes(':')) { - throw new BadRequestError('Missing binary data mode'); + const separatorIndex = binaryDataId.indexOf(':'); + + if (separatorIndex === -1) { + throw new BadRequestError('Malformed binary data ID'); } - const [mode] = binaryDataId.split(':'); + const mode = binaryDataId.substring(0, separatorIndex); + if (!isValidNonDefaultMode(mode)) { throw new BadRequestError('Invalid binary data mode'); } + + const path = binaryDataId.substring(separatorIndex + 1); + + if (path === '' || path === '/' || path === '//') { + throw new BadRequestError('Malformed binary data ID'); + } } private async setContentHeaders(
packages/cli/src/controllers/__tests__/binary-data.controller.test.ts+20 −2 modified@@ -26,7 +26,7 @@ describe('BinaryDataController', () => { await controller.get(request, response, query); expect(response.status).toHaveBeenCalledWith(400); - expect(response.end).toHaveBeenCalledWith('Missing binary data mode'); + expect(response.end).toHaveBeenCalledWith('Malformed binary data ID'); }); it('should return 400 if binary data mode is invalid', async () => { @@ -152,6 +152,24 @@ describe('BinaryDataController', () => { expect(result).toBe(stream); expect(binaryDataService.getAsStream).toHaveBeenCalledWith('filesystem:123'); }); + + describe('with malicious binary data IDs', () => { + it.each([ + ['filesystem:'], + ['filesystem-v2:'], + ['filesystem:/'], + ['filesystem-v2:/'], + ['filesystem://'], + ['filesystem-v2://'], + ])('should return 400 for ID "%s"', async (maliciousId) => { + const query = { id: maliciousId, action: 'download' } as BinaryDataQueryDto; + + await controller.get(request, response, query); + + expect(response.status).toHaveBeenCalledWith(400); + expect(response.end).toHaveBeenCalledWith('Malformed binary data ID'); + }); + }); }); describe('getSigned', () => { @@ -162,7 +180,7 @@ describe('BinaryDataController', () => { await controller.getSigned(request, response, query); expect(response.status).toHaveBeenCalledWith(400); - expect(response.end).toHaveBeenCalledWith('Missing binary data mode'); + expect(response.end).toHaveBeenCalledWith('Malformed binary data ID'); }); it('should return 400 if binary data mode is invalid', async () => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pr9r-gxgp-9rm8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49595ghsaADVISORY
- github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052ghsax_refsource_MISCWEB
- github.com/n8n-io/n8n/pull/16229ghsax_refsource_MISCWEB
- github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.