CVE-2025-55526 Overview
CVE-2025-55526 is a critical directory traversal vulnerability affecting the n8n-workflows project, specifically within the download_workflow function in api_server.py. This vulnerability allows remote attackers to access files outside the intended directory structure by manipulating file path inputs, potentially leading to unauthorized access to sensitive system files and data exfiltration.
Critical Impact
Attackers can exploit this directory traversal flaw to read arbitrary files on the system, potentially exposing configuration files, credentials, and other sensitive data without requiring authentication.
Affected Products
- n8n FastAPI 0.115.14
- n8n Pydantic 2.11.7
- n8n Uvicorn 0.35.0
- Microsoft Windows 11
Discovery Timeline
- 2025-08-26 - CVE-2025-55526 published to NVD
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2025-55526
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) exists in the download_workflow function within the api_server.py component of n8n-workflows. The vulnerability is network-accessible, requires no authentication, and can be exploited with low attack complexity. Successful exploitation enables attackers to access files with high confidentiality and integrity impact, though availability remains unaffected.
The core issue stems from insufficient input validation when processing user-supplied file paths. When a user requests to download a workflow file, the application fails to properly sanitize the input, allowing attackers to use path traversal sequences to escape the intended directory.
Root Cause
The root cause of this vulnerability is improper input validation in the download_workflow function. The function does not adequately sanitize or validate user-supplied file path parameters before using them in file system operations. This allows attackers to include directory traversal characters such as ../ or ..\ (on Windows systems) to navigate outside the application's designated workflow directory and access arbitrary files on the system.
The affected components include the FastAPI-based API server running on Uvicorn, where the file download endpoint accepts user input that is directly incorporated into file path construction without proper validation or canonicalization.
Attack Vector
The attack vector for CVE-2025-55526 is network-based, meaning attackers can exploit this vulnerability remotely without requiring any prior authentication or user interaction. An attacker would craft a malicious HTTP request to the download_workflow endpoint, embedding directory traversal sequences in the workflow name or path parameter.
For example, an attacker could manipulate the request to include sequences like ../../../etc/passwd on Linux systems or ..\..\..\..\windows\system32\config\sam on Windows systems to access sensitive files outside the intended directory structure.
The vulnerability is particularly dangerous because it combines high confidentiality impact (attackers can read arbitrary files) with high integrity impact (potential for file manipulation), all without requiring any privileges or user interaction.
Detection Methods for CVE-2025-55526
Indicators of Compromise
- HTTP requests to the workflow download endpoint containing path traversal sequences such as ../, ..\, %2e%2e%2f, or %2e%2e/
- Unusual file access patterns in application logs showing attempts to access files outside the workflows directory
- Web server logs showing requests with encoded directory traversal patterns targeting the API server
- Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or Windows SAM database files
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing directory traversal patterns in URL parameters and request bodies
- Enable detailed logging on the n8n-workflows API server and monitor for file access attempts outside designated directories
- Deploy file integrity monitoring (FIM) on sensitive system directories to detect unauthorized read access
- Configure intrusion detection systems (IDS) to alert on HTTP requests containing path traversal sequences targeting the affected endpoint
Monitoring Recommendations
- Monitor web server access logs for requests to the download_workflow endpoint with suspicious path parameters
- Set up alerts for any file access operations that resolve to paths outside the application's workflow storage directory
- Review API server logs regularly for patterns indicating reconnaissance or exploitation attempts
- Implement real-time monitoring of file system access to detect reads of sensitive configuration or credential files
How to Mitigate CVE-2025-55526
Immediate Actions Required
- Update the n8n-workflows installation to the latest version that addresses this vulnerability
- Implement input validation to reject any file path containing directory traversal sequences
- Deploy a Web Application Firewall (WAF) with rules to block path traversal attempts
- Restrict file system permissions for the n8n-workflows process to only the necessary directories
- Review access logs for any evidence of prior exploitation attempts
Patch Information
Organizations should monitor the GitHub Issue Discussion for updates on official patches and remediation guidance. As this vulnerability affects commit ee25413 in the main branch, users should update to a newer commit or release that addresses this security flaw once available.
Workarounds
- Implement a reverse proxy or WAF in front of the API server to filter and block requests containing path traversal sequences
- Modify the download_workflow function to canonicalize and validate file paths before processing, ensuring they resolve within the intended directory
- Restrict network access to the n8n-workflows API server to trusted IP addresses only
- Run the application in a containerized environment with minimal file system access to limit the impact of potential exploitation
# Example WAF rule configuration (ModSecurity)
# Block directory traversal attempts in request parameters
SecRule REQUEST_URI|ARGS|ARGS_NAMES "@rx (\.\./|\.\.\\)" \
"id:100001,phase:2,deny,status:403,log,msg:'Directory Traversal Attempt Blocked'"
# Restrict file access to specific directory (application-level fix example)
# Ensure workflow_path is within allowed directory
# ALLOWED_DIR="/var/n8n-workflows/workflows"
# realpath validation before file operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
