CVE-2025-55526
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | fastapi | 0.115.14 |
| n8n | pydantic | 2.11.7 |
| n8n | uvicorn | 0.35.0 |
| microsoft | windows_11 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55526 is a Path Traversal vulnerability in the n8n-workflows project. It occurs in the download_workflow function within api_server.py, where the filename parameter is not properly sanitized. An attacker can use directory traversal sequences like "..\" or its URL-encoded form "..%5c" in the filename to escape the intended workflows directory and download arbitrary files from the server. [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to download arbitrary files from the server hosting the n8n-workflows application. This could lead to exposure of sensitive files, source code, configuration files, or other data that should not be accessible, potentially compromising the security and privacy of the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoint with directory traversal sequences in the filename parameter. For example, you can use a command like: curl -v "http://localhost:8000/api/workflows/..%5capi_server.py/download" to see if the server allows downloading files outside the intended directory. If the file api_server.py or other files outside the workflows directory are downloaded, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating the filename input in the download_workflow function to prevent directory traversal sequences such as '..\' or '..%5c'. Restrict file access strictly to the intended workflows directory by properly resolving and checking file paths before serving files. Additionally, consider applying patches or updates if available, or temporarily disabling the vulnerable endpoint until a fix is implemented. [1]