CVE-2025-49595: 
JavaScript vulnerability analysis and mitigation

CVE-2025-49595 affects n8n, a workflow automation platform. The vulnerability was discovered in the /rest/binary-data endpoint when processing empty filesystem URIs. The issue was disclosed on July 3, 2025, and affects versions prior to 1.99.0 (NVD, GitHub Advisory).

The vulnerability is a Denial of Service (DoS) condition that occurs when processing empty filesystem URIs (filesystem:// or filesystem-v2://) in the /rest/binary-data endpoint. The issue has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD, GitHub Advisory).

When exploited, this vulnerability allows authenticated attackers to cause service unavailability through malformed filesystem URI requests. The impact affects both the /rest/binary-data endpoint and n8n.cloud instances, resulting in confirmed HTTP/2 524 timeout responses (GitHub Advisory).

The vulnerability has been patched in version 1.99.0. The fix introduces strict checking of URI patterns. Users are advised to upgrade to version 1.99.0 or later to mitigate this vulnerability. The patch was implemented through PR #16229 (GitHub PR, GitHub Advisory).