CVE-2025-49595

Name of the Vulnerable Software and Affected Versions: n8n versions prior to 1.99.0

Description: The issue is a Denial of Service vulnerability in the "/rest/binary-data" endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, affecting the /rest/binary-data endpoint and n8n.cloud instances. Attackers can exploit this by sending GET requests with empty filesystem URIs to the /rest/binary-data endpoint, causing resource exhaustion and service disruption.

Recommendations: For versions prior to 1.99.0, upgrade to version 1.99.0 or later, which introduces strict checking of URI patterns to fix the issue. As a temporary workaround, consider restricting access to the /rest/binary-data endpoint to minimize the risk of exploitation. Avoid using empty filesystem URIs (filesystem:// or filesystem-v2://) in the affected endpoint until the issue is resolved.