AI Threat Alert
CVE-2025-61914
MEDIUMIf your team uses n8n for AI workflow automation, patch to 1.114.0 immediately — any user with workflow creation rights can plant persistent XSS that executes against admins, exposing API keys and LLM credentials stored in the platform. The scope-changed rating (S:C) means a low-privilege attacker reaches beyond their own session. Until patched, lock workflow creation to vetted personnel only and audit existing workflows for suspicious HTML payloads in Respond to Webhook nodes.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| n8n | npm | — | No patch |
Do you use n8n? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade to n8n >= 1.114.0 immediately — this is the only complete fix. 2. RESTRICT: Remove workflow creation/modification rights from non-essential accounts. Apply least-privilege to n8n roles. 3. AUDIT: Search existing workflows for Respond to Webhook nodes returning HTML with <script> tags or event handlers. Script: grep across workflow exports or query n8n DB for webhook response nodes with HTML content type. 4. PROXY: If immediate patching is blocked, deploy a WAF or reverse proxy rule to strip executable script tags from n8n webhook responses at the network layer. 5. ROTATE: After patching, rotate all API keys stored as n8n credentials as a precaution if the instance was accessible to untrusted users. 6. DETECT: Monitor for unexpected outbound HTTP requests from n8n instances (credential exfil indicator).
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.
Exploitation Scenario
An attacker registers or compromises a low-privilege n8n account in an organization using n8n for AI agent orchestration. They create a workflow with a Respond to Webhook node configured to return HTML containing a credential-harvesting JavaScript payload: the script reads document.cookie and localStorage, then exfiltrates them to an attacker-controlled endpoint. The attacker shares the workflow or triggers a context that causes an admin to view its output. The script fires in the top-level n8n window context (bypassing the 1.103.0 sandbox), capturing the admin's session token. With admin access, the attacker modifies existing AI agent workflows to exfiltrate LLM responses, pivot to connected databases, or poison AI pipeline inputs — all without triggering additional authentication prompts.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N