Stored Cross-Site Scripting Vulnerability in n8n Workflow Automation Platform
CVE-2025-61914

7.3HIGH

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 26 December 2025

What is CVE-2025-61914?

The n8n workflow automation platform is susceptible to a stored Cross-Site Scripting (XSS) vulnerability affecting versions before 1.114.0. If the 'Respond to Webhook' node processes HTML content containing executable scripts, the malicious payload can run in the top-level window instead of the intended sandbox environment introduced in version 1.103.0. This flaw allows users with workflow creation permissions to execute arbitrary JavaScript within the n8n editor interface. To address this issue, it is recommended to update to version 1.114.0. Additionally, restrict workflow creation and modification privileges to trusted users, avoid using untrusted HTML in the 'Respond to Webhook' node, and implement an external reverse proxy or HTML sanitizer to filter potentially harmful scripts.

Affected Version(s)

n8n < 1.114.0

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-58...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 26, 2025
Vulnerability Reserved
Oct 3, 2025

JSON

N8n-io

What is CVE-2025-61914?

Affected Version(s)

References

CVSS V3.1

Timeline