Cyber Resilience

CVE-2025-61917

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0002 6.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61917 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in N8N N8N. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-61917 is an information disclosure vulnerability in n8n, an open source workflow automation platform. The issue affects versions from 1.65.0 up to but not including 1.114.3, stemming from the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() functions in the task runner. These functions allow untrusted code to allocate uninitialized memory buffers, which may contain residual data from the same Node.js process, such as prior requests, tasks, secrets, or tokens.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The scoped impact (S:C) enables high confidentiality loss (C:H) without affecting integrity or availability. By executing untrusted code through the task runner, the attacker could read sensitive residual data from uninitialized buffers, potentially exposing secrets or tokens.

The vulnerability has been addressed in n8n version 1.114.3. Official mitigation details are available in the n8n security advisory at GHSA-49mx-fj45-q3p6 and the patching commit at https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba. Users should upgrade to the patched version to prevent exploitation.

EU & UK References

Vulnerability details

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within…

more

the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

CVE enables remote exploitation of a public-facing workflow platform (T1190) to read residual secrets/tokens from process memory via unsafe buffer allocation in untrusted task runner code (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68613Same product: N8N N8N
CVE-2026-1470Same product: N8N N8N
CVE-2026-21877Same product: N8N N8N
CVE-2026-42232Same product: N8N N8N
CVE-2025-62726Same product: N8N N8N
CVE-2026-25055Same product: N8N N8N
CVE-2026-27577Same product: N8N N8N
CVE-2026-25056Same product: N8N N8N
CVE-2026-27497Same product: N8N N8N
CVE-2026-21893Same product: N8N N8N

Affected Assets

n8n
n8n
1.65.0 — 1.114.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-16 directly enforces memory protection mechanisms to prevent unauthorized disclosure of residual sensitive data from uninitialized buffers allocated by untrusted code.

prevent

SC-4 prevents unauthorized information transfer via shared system resources, such as process memory containing residual data from prior requests, secrets, or tokens.

prevent

SI-2 mandates timely flaw remediation, including patching n8n to version 1.114.3 to eliminate the unsafe buffer allocation vulnerability.

References