CVE-2025-61917
Published: 04 February 2026
Summary
CVE-2025-61917 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in N8N N8N. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-16 directly enforces memory protection mechanisms to prevent unauthorized disclosure of residual sensitive data from uninitialized buffers allocated by untrusted code.
SC-4 prevents unauthorized information transfer via shared system resources, such as process memory containing residual data from prior requests, secrets, or tokens.
SI-2 mandates timely flaw remediation, including patching n8n to version 1.114.3 to eliminate the unsafe buffer allocation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing workflow platform (T1190) to read residual secrets/tokens from process memory via unsafe buffer allocation in untrusted task runner code (T1552).
NVD Description
n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within…
more
the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.
Deeper analysisAI
CVE-2025-61917 is an information disclosure vulnerability in n8n, an open source workflow automation platform. The issue affects versions from 1.65.0 up to but not including 1.114.3, stemming from the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() functions in the task runner. These functions allow untrusted code to allocate uninitialized memory buffers, which may contain residual data from the same Node.js process, such as prior requests, tasks, secrets, or tokens.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The scoped impact (S:C) enables high confidentiality loss (C:H) without affecting integrity or availability. By executing untrusted code through the task runner, the attacker could read sensitive residual data from uninitialized buffers, potentially exposing secrets or tokens.
The vulnerability has been addressed in n8n version 1.114.3. Official mitigation details are available in the n8n security advisory at GHSA-49mx-fj45-q3p6 and the patching commit at https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba. Users should upgrade to the patched version to prevent exploitation.
Details
- CWE(s)