Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue found in the Form Trigger node of n8n versions before 1.123.25 (1.x) and before 2.11.2 (2.x). It arises from improper sanitization of CSS input, allowing authenticated users with workflow creation or modification permissions to inject malicious scripts.

These injected scripts persistently execute for all visitors of the published form, enabling attackers to hijack form submissions or conduct phishing attacks.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows attackers with workflow creation permissions to inject malicious scripts into forms that execute for every visitor.

• Hijacking of form submissions
• Conducting phishing attacks targeting form visitors

Although the Content Security Policy (CSP) prevents direct theft of n8n session cookies, it does not stop script execution or manipulation of form actions, which can still lead to significant security risks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability exists in n8n versions prior to 1.123.25 (1.x) and 2.11.2 (2.x), specifically in the Form Trigger node's CSS sanitization allowing authenticated users with workflow creation permissions to inject malicious scripts.

Detection involves verifying the n8n version in use and checking if the Form Trigger node is enabled and accessible to users with workflow creation or modification permissions.

Suggested commands to detect vulnerable versions include checking the installed n8n version, for example:

• n8n --version
• docker exec -it <container_name> n8n --version

Additionally, reviewing workflow permissions and nodes in use can help identify if the Form Trigger node is active and accessible to potentially malicious users.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading n8n to a patched version: 1.123.25, 2.11.2, or later (such as 2.12.0).

If upgrading is not immediately possible, temporary mitigations include:

• Restrict workflow creation and modification permissions to trusted users only.
• Disable the Form Trigger node by setting the environment variable NODES_EXCLUDE to exclude it.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users to inject malicious scripts that persistently execute for all visitors of a form, enabling form hijacking and phishing attacks.

Such attacks could lead to unauthorized manipulation of user data or phishing of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data.

However, the Content Security Policy (CSP) in place prevents direct theft of session cookies, though it does not block script execution or manipulation of form actions.

Organizations using affected versions of n8n should consider this vulnerability a risk to data integrity and user trust, potentially affecting regulatory compliance if exploited.

Useful 0 Not Useful 0