Stored XSS Vulnerability in n8n Workflow Automation Platform
CVE-2025-58177

5.4MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 15 September 2025

What is CVE-2025-58177?

The n8n workflow automation platform contains a stored cross-site scripting (XSS) vulnerability in the LangChain Chat Trigger node. Between versions 1.24.0 and before 1.107.0, an authorized user can maliciously configure the initialMessages field of this node to execute arbitrary JavaScript. When public access is granted, this malicious script can run in the browser of any visitor using the generated chat URL, exposing them to potential phishing attacks and allowing for cookie theft or the compromise of other sensitive data. Users are urged to upgrade to version 1.107.0 or later to mitigate this risk. As a temporary measure, the affected node may be disabled until an update can be applied.

Affected Version(s)

n8n >= 1.24.0, < 1.107.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-mv...

x_refsource_CONFIRM

https://github.com/n8n-io/n8n/pull/18148

x_refsource_MISC

https://github.com/n8n-io/n8n/commit/d4ef191be0b39b65efa6...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 15, 2025
Vulnerability Reserved
Aug 27, 2025

N8n-io

What is CVE-2025-58177?

Affected Version(s)

References

CVSS V3.1

Timeline