CVE-2025-52478
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| n8n | n8n | From 1.77.0 (inc) to 1.98.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52478 is a stored Cross-Site Scripting (XSS) vulnerability in the n8n workflow automation platform, specifically in the Form Trigger node's HTML form element in versions from 1.77.0 up to but not including 1.98.2. An authenticated attacker can inject malicious HTML using an <iframe> with a srcdoc payload or a combination of <video> and <source> tags exploiting the onerror event. This allows the attacker to execute arbitrary JavaScript in the context of authenticated users who visit the malicious form, enabling them to steal session cookies and browser identifiers, which can lead to account takeover (ATO). The attacker can then impersonate the victim and change account details such as email addresses, gaining full control over the account, especially if two-factor authentication (2FA) is not enabled. The vulnerability was fixed in version 1.98.2 by sanitizing and restricting dangerous HTML elements and attributes, and by applying sandboxing and other security measures. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to an attacker taking over your n8n account by injecting malicious scripts into forms that authenticated users access. The attacker can steal sensitive tokens such as session cookies and browser identifiers, allowing them to impersonate you. With this access, they can change your account details, including your email address, effectively gaining full control over your account. This risk is especially high if you do not have two-factor authentication (2FA) enabled. Such an account takeover can compromise your workflows, data, and any integrations you have configured in n8n. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your n8n instance is running a vulnerable version (>= 1.77.0 and < 1.98.2) and if the Form Trigger node's HTML form element is being used in a way that allows injection of malicious <iframe> or <video>/<source> tags. You can check the n8n version by running the command `n8n --version` or inspecting the version in your deployment. Additionally, monitoring HTTP requests and form submissions for suspicious payloads containing <iframe srcdoc> or <video> tags with onerror events can help detect exploitation attempts. Using web application security scanners that detect stored XSS vulnerabilities on the Form Trigger node forms may also be useful. Specific commands to check version and logs include: `n8n --version`, `docker ps` (if using Docker), and inspecting application logs for unusual form submissions or errors. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading n8n to version 1.98.2 or later, where the vulnerability is fixed. Additional mitigations involve configuring a reverse proxy to serve webhook requests from a different domain, disabling or restricting the use of the Form Trigger node's HTML element, and implementing a Content Security Policy (CSP) that blocks inline script execution and disallows the use of the srcdoc attribute. These measures reduce the risk of malicious script injection and execution. If upgrading immediately is not possible, applying these mitigations can help reduce exposure until the update is applied. [1, 2]