Listen to this Post
How the CVE Works
The vulnerability exists in the `/rest/binary-data` endpoint of n8n, where improper handling of empty filesystem URIs (filesystem:// or filesystem-v2://) leads to a denial of service. When an authenticated attacker sends a malformed GET request with an empty filesystem URI, the system fails to validate the input properly, causing resource exhaustion. This results in HTTP/2 524 timeout responses on n8n.cloud instances and service disruption. The lack of strict URI pattern checking allows repeated exploitation, leading to sustained unavailability.
DailyCVE Form
Platform: n8n
Version: <1.99.0
Vulnerability: DoS
Severity: Critical
Date: 2024-03-15
Prediction: Patch expected by 2024-03-20
What Undercode Say
curl -X GET "http://target/rest/binary-data?uri=filesystem://"
import requests
requests.get("http://target/rest/binary-data", params={"uri": "filesystem-v2://"})
How Exploit
Send crafted GET requests with empty `filesystem://` URIs to exhaust server resources.
Protection from this CVE
Upgrade to n8n 1.99.0+.
Impact
Service disruption, resource exhaustion.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
