Detections
Analytics

CVE-2025-61917

high

Description

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6

https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba

Details

Source: Mitre, NVD

Published: 2026-02-04

Updated: 2026-02-05

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00011