CVE-2025-52478 – A stored Cross-Site Scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-52478?

CVE-2025-52478 has a CVSS score of 8.7 (HIGH). A stored Cross-Site Scripting (XSS) vulnerability in n8n's Form Trigger node allows authenticated attackers to inject malicious HTML/JavaScript. This enables account takeover by stealing session cookies and browser IDs from users who interact with malicious forms. Affects n8n versions 1.77.0 through 1.98.1.

📋 TL;DR

A stored Cross-Site Scripting (XSS) vulnerability in n8n's Form Trigger node allows authenticated attackers to inject malicious HTML/JavaScript. This enables account takeover by stealing session cookies and browser IDs from users who interact with malicious forms. Affects n8n versions 1.77.0 through 1.98.1.

💻 Affected Systems

Products:

n8n

Versions: 1.77.0 to 1.98.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated attacker access; affects Form Trigger node specifically.

📦 What is this software?

N8n by N8n

View all CVEs affecting N8n →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover allowing attackers to change email addresses, disable 2FA, and gain full administrative control over n8n instances.

🟠

Likely Case

Session hijacking leading to unauthorized access to workflows, credentials, and sensitive automation data.

🟢

If Mitigated

Limited impact with proper input validation, Content Security Policy, and session management controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; attack vectors include <iframe srcdoc> and <video><source onerror> payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.98.2

Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2

Restart Required: Yes

Instructions:

1. Backup n8n instance and data. 2. Update n8n to version 1.98.2 or later using npm: 'npm update -g n8n'. 3. Restart n8n service. 4. Verify version with 'n8n --version'.

🔧 Temporary Workarounds

Disable Form Trigger Node

all

Temporarily disable or restrict access to Form Trigger nodes until patching.

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to n8n web server configuration

🧯 If You Can't Patch

Implement strict input validation and sanitization for all form inputs
Enable 2FA for all user accounts and monitor for suspicious account changes

🔍 How to Verify

Check if Vulnerable:

Check n8n version: if between 1.77.0 and 1.98.1 inclusive, system is vulnerable.

Check Version:

n8n --version

Verify Fix Applied:

Confirm n8n version is 1.98.2 or higher and test Form Trigger node with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript in form submissions
Multiple failed login attempts from new locations
Account email change events

Network Indicators:

Outbound connections to unknown domains from n8n instance
Unusual cookie/session token exfiltration patterns

SIEM Query:

source="n8n" AND ("iframe" OR "srcdoc" OR "onerror") AND event_type="form_submission"

📊 Metadata

CVE ID: CVE-2025-52478

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7th percentile)

Published: August 19, 2025

Last Updated: September 3, 2025

🔗 References

https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500 Patch
https://github.com/n8n-io/n8n/pull/16329 Patch
https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52478, you might also want to check these: