CVE-2025-61917
📋 TL;DR
This vulnerability in n8n workflow automation platform allows uninitialized memory allocation via Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner. Attackers could potentially access residual sensitive data from the Node.js process memory, including secrets, tokens, or prior request data. Affected users are those running n8n versions 1.65.0 through 1.114.2.
💻 Affected Systems
- n8n
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive data including API keys, credentials, authentication tokens, and proprietary workflow data stored in process memory.
Likely Case
Information disclosure of residual data from previous tasks or requests, potentially exposing some sensitive information but not full system compromise.
If Mitigated
Limited impact with proper network segmentation and minimal sensitive data in workflow processes.
🎯 Exploit Status
Exploitation requires ability to execute untrusted code in n8n task runner. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.114.3
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6
Restart Required: Yes
Instructions:
1. Backup your n8n instance and workflows. 2. Update n8n to version 1.114.3 or later using npm: 'npm update n8n'. 3. Restart the n8n service. 4. Verify the update with 'n8n --version'.
🔧 Temporary Workarounds
Disable untrusted workflow execution
allRestrict workflow execution to trusted sources only to prevent untrusted code from exploiting the buffer allocation vulnerability.
Memory isolation via containerization
linuxRun n8n in isolated containers with limited memory access to reduce potential data exposure scope.
docker run --memory=512m --memory-swap=1g n8nio/n8n
🧯 If You Can't Patch
- Implement strict network segmentation to isolate n8n instances from sensitive systems
- Minimize sensitive data stored in n8n workflows and use external secret management
🔍 How to Verify
Check if Vulnerable:
Check n8n version with 'n8n --version' or in package.json. If version is between 1.65.0 and 1.114.2 inclusive, the system is vulnerable.Check Version:
n8n --versionVerify Fix Applied:
After updating, verify version is 1.114.3 or later with 'n8n --version'. Check that Buffer.allocUnsafe() usage has been replaced with Buffer.alloc() in task runner code.📡 Detection & Monitoring
Log Indicators:
- Unusual memory allocation patterns in Node.js logs
- Multiple large buffer allocations in short timeframes
Network Indicators:
- Unexpected data exfiltration from n8n instances
- Unusual outbound connections from workflow automation systems
SIEM Query:
source="n8n" AND ("Buffer.allocUnsafe" OR "memory allocation" OR "process.memoryUsage()")