Stored Cross-Site Scripting Vulnerability in n8n Workflow Automation Platform
CVE-2025-46343

5.4MEDIUM

Key Information:

Vendor

N8n-io

Status
N8n
Vendor
CVE Published:
29 April 2025

What is CVE-2025-46343?

The n8n workflow automation platform is susceptible to stored cross-site scripting (XSS) due to improper handling of MIME types in the attachments view endpoint. Attackers can exploit this vulnerability by uploading a malicious HTML file with JavaScript code, making it possible for them to execute scripts in the context of another authenticated user's session. This can lead to unauthorized actions, including changes to sensitive account settings such as email addresses. Users are advised to upgrade to version 1.90.0, where this issue has been addressed.

Affected Version(s)

n8n < 1.90.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-c8...
x_refsource_CONFIRM
https://github.com/n8n-io/n8n/pull/14350
x_refsource_MISC
https://github.com/n8n-io/n8n/pull/14685
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.