CVE-2025-55526
📋 TL;DR
This vulnerability in n8n-workflows allows attackers to perform directory traversal attacks through the download_workflow function in api_server.py. Attackers can potentially read arbitrary files on the server, including sensitive configuration files and credentials. This affects any n8n-workflows deployment using the vulnerable version.
💻 Affected Systems
- n8n-workflows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration secrets, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive files containing API keys, passwords, or configuration data, enabling further attacks or data theft.
If Mitigated
Limited impact if proper file permissions restrict access to sensitive files and the service runs with minimal privileges.
🎯 Exploit Status
Directory traversal vulnerabilities typically have low exploitation complexity. The GitHub issue suggests the vulnerability is known but no public exploit code is confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/Zie619/n8n-workflows/issues/48
Restart Required: Yes
Instructions:
1. Monitor the GitHub repository for patches. 2. Apply any available security updates. 3. Restart the n8n-workflows service after patching.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject directory traversal sequences in workflow download requests.
# Modify api_server.py to validate file paths
# Example: if '..' in requested_path: return error
File Access Restriction
linuxRun n8n-workflows with minimal privileges and restrict file system access to necessary directories only.
# Run as non-root user
sudo -u n8nuser python api_server.py
# Use chroot or containerization
🧯 If You Can't Patch
- Implement network segmentation to isolate n8n-workflows from sensitive systems
- Deploy web application firewall (WAF) rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check if your n8n-workflows deployment includes commit ee25413 or was built from that commit. Review the api_server.py file for the download_workflow function.Check Version:
git log --oneline | grep ee25413Verify Fix Applied:
Test that directory traversal attempts (e.g., '../../etc/passwd') are properly rejected and return error responses.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- Failed directory traversal attempts with patterns like '..' or '../'
Network Indicators:
- HTTP requests containing directory traversal sequences in parameters
SIEM Query:
source="n8n-workflows" AND (".." OR "../" OR "%2e%2e")