What is the CVSS score of CVE-2025-61917?

CVE-2025-61917 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2025-61917?

n8n workflow automation instances running versions 1.65.0 through 1.114.2 are vulnerable to memory disclosure attacks that could expose sensitive data processed by automation workflows.. A patch is available.

How to fix or mitigate CVE-2025-61917?

Within 24 hours: Identify all n8n instances in your environment and document their versions. Within 7 days: Apply patch to version 1.114.3 or later across all affected instances, starting with production environments handling sensitive data. Within 30 days: Verify patch deployment completion and validate workflow functionality post-update.

Node.js CVE-2025-61917

HIGH

Information Exposure (CWE-200)

2026-02-04 security-advisories@github.com

GHSA-49mx-fj45-q3p6

Information Disclosure Node.js N8n

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 18, 2026 - 17:46 nvd

Patch available

CVE Published

Feb 04, 2026 - 17:16 nvd

HIGH 7.7

DescriptionNVD

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

AnalysisAI

Technical ContextAI

Classified as CWE-200 (Information Exposure). Affects N8N. n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.114.3.. Restrict network access to the affected service where possible.

CVE-2025-61917 vulnerability details – vuln.today

Back

Node.js CVE-2025-61917

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code