Impact
n8n is an open source workflow automation platform. The vulnerability is caused by the Compression node's Decompress operation in n8n, which prior to version 2.24.0 expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker can create a small compressed archive and send it to a public webhook workflow that utilizes this node, causing the n8n process to terminate due to memory exhaustion and disrupting all workflows in the same instance. This vulnerability is fixed in 2.24.0. The flaw illustrates CWE-409: Uncontrolled Memory Allocation. The CVSS score of 6.3 indicates moderate severity, and the absence of an EPSS score means the current exploitation probability is unclear. Exploitation requires only access to a public webhook endpoint, making the attack straightforward. Successful exploitation triggers an out‑of‑memory condition, terminating the n8n process and bringing down all running workflows, potentially causing significant disruption to automation tasks.
Affected Systems
Any deployment of the n8n workflow automation platform using the Compression node before version 2.24.0 is vulnerable. The issue applies to n8n‑io and affects all public‑webhook workflows that include the Decompress operation.
Risk and Exploitability
The risk posed by this flaw is moderate, as reflected by the CVSS score of 6.3. Because the vulnerability does not require authentication and relies on a public webhook endpoint, the likelihood of exploitation is contingent on the exposure of the workflow. An unauthenticated attacker can craft a small ZIP archive that, when processed by the Decompress operation, loads an enormous amount of data into memory, triggering an out‑of‑memory condition and forcefully terminating the n8n process. The resulting crash brings down all workflows running in the same instance, causing a service disruption. Although no EPSS score is available, the absence of a KEV listing indicates no known widespread exploitation yet, but the simplicity of the attack vector (any user with access to a public webhook URL) means the vulnerability could be exploited early if the handler is left exposed.
OpenCVE Enrichment
Github GHSA