AI Threat Alert AI Threat Alert

CVE-2025-56265: n8n: unrestricted file upload RCE via Chat Trigger

HIGH PoC AVAILABLE CISA: ATTEND
Published September 8, 2025
CISO Take

N8N's Chat Trigger accepts unrestricted file uploads, allowing a low-privileged attacker to store crafted HTML that executes arbitrary code in admin browsers — public PoC is already available. Organizations using n8n for AI agent orchestration face full workflow compromise, including exposure of API keys for OpenAI, Anthropic, and any other connected service stored in the credential vault. Patch immediately or disable Chat Trigger nodes in all exposed workflows and rotate all stored credentials.

Risk Assessment

High risk. CVSS 8.8 with network-accessible vector, low complexity, and low privileges required makes this trivially exploitable — script-kiddie territory given the public PoC. The Chat Trigger is architecturally designed to be internet-facing (it's a chatbot endpoint), which dramatically broadens the attack surface compared to internal-only components. N8N instances routinely hold credentials for LLM APIs, databases, cloud services, and communication platforms, making them high-value targets. Any organization running n8n as part of an AI pipeline that hasn't patched should treat this as an active incident.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 26% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade n8n beyond affected versions (1.95.3, 1.100.1, 1.101.1) as soon as a fixed release is available; monitor github.com/n8n-io/n8n releases.

  2. WORKAROUND

    Disable Chat Trigger nodes in all workflows immediately; replace with authenticated webhook triggers if chat functionality is business-critical.

  3. AUDIT

    Inventory all n8n instances across the organization; identify which have Chat Trigger nodes and internet exposure.

  4. ROTATE CREDENTIALS

    If exploitation cannot be ruled out, treat all credentials stored in n8n as compromised — rotate LLM API keys, DB passwords, OAuth tokens, and webhook secrets.

  5. DETECT

    Review n8n server logs for unexpected file uploads to Chat Trigger endpoints; monitor for anomalous outbound connections from n8n hosts.

  6. NETWORK CONTROLS

    Place all n8n instances behind VPN or authentication proxy; never expose Chat Trigger directly to the public internet without additional access controls.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Auth Bypass Framework Agent Plugin AML.T0049 AML.T0053 AML.T0080 AML.T0081 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.5 - AI system security controls
NIST AI RMF
MANAGE 2.2 - Risk treatments including risk sharing and residual risk management
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-56265?

N8N's Chat Trigger accepts unrestricted file uploads, allowing a low-privileged attacker to store crafted HTML that executes arbitrary code in admin browsers — public PoC is already available. Organizations using n8n for AI agent orchestration face full workflow compromise, including exposure of API keys for OpenAI, Anthropic, and any other connected service stored in the credential vault. Patch immediately or disable Chat Trigger nodes in all exposed workflows and rotate all stored credentials.

Is CVE-2025-56265 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-56265, increasing the risk of exploitation.

How to fix CVE-2025-56265?

1. PATCH: Upgrade n8n beyond affected versions (1.95.3, 1.100.1, 1.101.1) as soon as a fixed release is available; monitor github.com/n8n-io/n8n releases. 2. WORKAROUND: Disable Chat Trigger nodes in all workflows immediately; replace with authenticated webhook triggers if chat functionality is business-critical. 3. AUDIT: Inventory all n8n instances across the organization; identify which have Chat Trigger nodes and internet exposure. 4. ROTATE CREDENTIALS: If exploitation cannot be ruled out, treat all credentials stored in n8n as compromised — rotate LLM API keys, DB passwords, OAuth tokens, and webhook secrets. 5. DETECT: Review n8n server logs for unexpected file uploads to Chat Trigger endpoints; monitor for anomalous outbound connections from n8n hosts. 6. NETWORK CONTROLS: Place all n8n instances behind VPN or authentication proxy; never expose Chat Trigger directly to the public internet without additional access controls.

What systems are affected by CVE-2025-56265?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI chatbots, RAG pipelines, workflow automation, API integrations.

What is the CVSS score for CVE-2025-56265?

CVE-2025-56265 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.

Exploitation Scenario

Attacker discovers an internet-facing n8n instance with a public Chat Trigger endpoint — searchable via Shodan or similar. Using the chat interface with minimal or no authentication (PR:L in CVSS), attacker uploads a crafted HTML file containing JavaScript that exfiltrates session cookies to an attacker-controlled server. When an n8n administrator reviews the chat session or interaction logs, the stored XSS fires in their browser, stealing the admin session token. Attacker authenticates as admin, opens the credential manager, and harvests all stored API keys — OpenAI, Anthropic, Pinecone, Slack, database URIs. They then modify an existing AI agent workflow to silently exfiltrate all user queries and LLM responses to an external endpoint, effectively wiretapping the organization's AI pipeline without any further access requirements.

Weaknesses (CWE)

CWE-434

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 8, 2025
Last Modified
September 12, 2025
First Seen
September 8, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed