CVE-2025-49592
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | to 1.98.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49592 is an Open Redirect vulnerability in the login flow of the n8n workflow automation platform, affecting versions prior to 1.98.0. Authenticated users can be redirected to attacker-controlled, untrusted domains after logging in by manipulating the redirect query parameter in the /signin endpoint URL. This allows attackers to craft URLs that appear legitimate but redirect users to malicious sites that mimic the n8n UI, potentially leading to phishing attacks, credential or two-factor authentication theft, and reputation damage. [2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to redirect authenticated users to malicious websites that look like the legitimate n8n interface. This can lead to phishing attacks where users may be tricked into entering sensitive information such as credentials or 2FA codes. Additionally, it poses a risk to your organization's reputation due to the visual similarity between attacker-controlled domains and trusted n8n domains. The vulnerability affects any n8n instance exposing the /signin endpoint and can be exploited to steal user credentials or compromise user sessions. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can monitor and analyze requests to the /signin endpoint of your n8n instance for suspicious redirect query parameters that point to external or untrusted domains. For example, look for URLs like /signin?redirect=https://n8n.local.evil.com or other domains that are not the legitimate origin. Commands to help detect this might include using curl or wget to test redirect behavior, or using network monitoring tools to capture HTTP requests and inspect the redirect parameters. Example command to test redirect behavior: curl -i 'https://your-n8n-domain/signin?redirect=https://malicious-domain.com'. If the response redirects to an external domain, the system is vulnerable. Additionally, reviewing web server logs or proxy logs for unusual redirect parameters can help identify exploitation attempts. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your n8n installation to version 1.98.0 or later, where the vulnerability has been patched by implementing strict origin validation on redirect URLs. This fix ensures that only same-origin or relative path redirects are allowed after login, preventing open redirect attacks. Until the upgrade can be performed, consider restricting access to the /signin endpoint or implementing additional proxy-level validation to block redirect parameters pointing to untrusted domains. [2, 3, 4]