Cyber Resilience

CVE-2025-55526

CriticalPublic PoC

Published: 26 August 2025

Published
26 August 2025
Modified
15 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0101 77.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55526 is a critical-severity Path Traversal (CWE-22) vulnerability in N8N Fastapi. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

n8n-workflows at main commit ee25413 contains a directory traversal vulnerability (CWE-22) in the download_workflow function of api_server.py. The flaw affects the n8n-workflows project and carries a CVSS 3.1 score of 9.1 reflecting network-accessible attack conditions with no required authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to the download_workflow endpoint to traverse directories on the underlying filesystem, enabling unauthorized reading and modification of files with high confidentiality and integrity impact.

The sole public reference is a GitHub issue that documents the flaw but provides no mitigation guidance or patch details at the time of publication. The associated EPSS score remains flat at 0.0101 with no observed increase after disclosure.

EU & UK References

Vulnerability details

n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing API server directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-52363Same vendor: Microsoft
CVE-2026-25055Same vendor: N8N
CVE-2026-21227Same vendor: Microsoft
CVE-2025-52452Same vendor: Microsoft
CVE-2024-55457Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2024-13471Shared CWE-22
CVE-2025-8054Shared CWE-22
CVE-2026-2493Shared CWE-22
CVE-2026-32026Shared CWE-22

Affected Assets

n8n
fastapi
0.115.14
n8n
pydantic
2.11.7
n8n
uvicorn
0.35.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to the download_workflow function in api_server.py to reject directory traversal sequences like '../', preventing unauthorized file access.

prevent

Mandates enforcement of access controls that restrict the api_server.py function to only authorized workflow directories, blocking traversal to sensitive files outside the intended scope.

prevent

Requires timely identification, reporting, and patching of the specific directory traversal flaw at commit ee25413 in n8n-workflows, eliminating the vulnerability root cause.

References