CVE-2025-57749: 
JavaScript vulnerability analysis and mitigation

n8n is a workflow automation platform affected by a symlink traversal vulnerability (CVE-2025-57749) discovered in the Read/Write File node before version 1.106.0. The vulnerability was disclosed on August 20, 2025. The issue affects n8n installations running versions prior to 1.106.0, while users of n8n.cloud are not impacted (GitHub Advisory).

The vulnerability stems from improper handling of symbolic links (symlinks) in the Read/Write File node. While the node attempts to restrict access to sensitive directories and files, it fails to properly account for symbolic links. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, and no user interaction needed (GitHub Advisory).

An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this vulnerability to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths on the system. This could potentially lead to unauthorized access to sensitive files and data (GitHub Advisory).

The vulnerability has been patched in version 1.106.0. Users should upgrade to this version or later to address the issue. For those unable to update immediately, temporary workarounds include disabling or restricting access to the Execute Command node and any other nodes that allow arbitrary file system access, and avoiding the use of the Read/Write File node on untrusted paths or inputs that could be manipulated via symlinks (GitHub Advisory, GitHub Pull).