CVE-2025-61917

HIGH

NPM N8n < 1.114.3 - Information Disclosure

Title source: rule

Description

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

References (2)

[Vendor Advisory] https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6

[Patch] https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba

View Patch ZIP pw:eip

Scores

CVSS v3 7.7

EPSS 0.0002

EPSS Percentile 5.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668 CWE-200

Status published

Products (2)

n8n/n8n 1.65.0 - 1.114.3

npm/n8n 1.65.0 - 1.114.3npm

Published Feb 04, 2026

Tracked Since Feb 18, 2026