{"data":{"id":"a3e0cb8e-d2ff-493a-a4bf-321bd3ed636e","title":"GHSA-jqpw-qww5-cj4c: n8n: Denial of Service via ZIP decompression in webhook workflow","summary":"A vulnerability in n8n's Compression node allows unauthenticated attackers to crash the entire application by sending specially crafted compressed files to public webhooks. The node decompresses archives without limiting memory usage, causing the process to run out of memory and stop working for all users on that server.","solution":"The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. The fix introduces configurable limits on decompressed output size (`N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES`) and ZIP entry count (`N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES`). If upgrading is not immediately possible, administrators can temporarily disable the Compression node by adding `n8n-nodes-base.compression` to the `NODES_EXCLUDE` environment variable, or restrict public webhook workflows that accept archive file uploads to authenticated endpoints only.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-jqpw-qww5-cj4c","publishedAt":"2026-06-16T23:01:51.000Z","cveId":"CVE-2026-54314","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["n8n@< 2.24.0 (fixed: 2.24.0)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-16T23:01:51.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}