CVE-2025-55526
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2025-09-15

Assigner: MITRE

Description
n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2025-09-15
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-55526
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
n8n fastapi 0.115.14
n8n pydantic 2.11.7
n8n uvicorn 0.35.0
microsoft windows_11 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-55526 is a Path Traversal vulnerability in the n8n-workflows project. It occurs in the download_workflow function within api_server.py, where the filename parameter is not properly sanitized. An attacker can use directory traversal sequences like "..\" or its URL-encoded form "..%5c" in the filename to escape the intended workflows directory and download arbitrary files from the server. [1]

Impact Analysis

This vulnerability allows an attacker to download arbitrary files from the server hosting the n8n-workflows application. This could lead to exposure of sensitive files, source code, configuration files, or other data that should not be accessible, potentially compromising the security and privacy of the system. [1]

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint with directory traversal sequences in the filename parameter. For example, you can use a command like: curl -v "http://localhost:8000/api/workflows/..%5capi_server.py/download" to see if the server allows downloading files outside the intended directory. If the file api_server.py or other files outside the workflows directory are downloaded, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating the filename input in the download_workflow function to prevent directory traversal sequences such as '..\' or '..%5c'. Restrict file access strictly to the intended workflows directory by properly resolving and checking file paths before serving files. Additionally, consider applying patches or updates if available, or temporarily disabling the vulnerable endpoint until a fix is implemented. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart