AI Threat Alert

CVE-2025-61914: n8n: XSS enables session hijacking

MEDIUM
Published December 26, 2025
CISO Take

If your team uses n8n for AI workflow automation, patch to 1.114.0 immediately — any user with workflow creation rights can plant persistent XSS that executes against admins, exposing API keys and LLM credentials stored in the platform. The scope-changed rating (S:C) means a low-privilege attacker reaches beyond their own session. Until patched, lock workflow creation to vetted personnel only and audit existing workflows for suspicious HTML payloads in Respond to Webhook nodes.

What is the risk?

CVSS 5.4 understates operational risk in AI-agent contexts. n8n frequently stores LLM API keys, database credentials, and webhook secrets — all reachable via session hijacking from a successful XSS. The Scope:Changed vector confirms attacker impact extends beyond the vulnerable component into the broader n8n instance. Stored XSS is persistent: a single malicious workflow infects every privileged user who views it. Real-world risk is MEDIUM-HIGH for organizations running n8n as their AI agent orchestration layer.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
193.4K OpenSSF 6.6 Pushed 3d ago 54% patched ~7d to patch Full package profile →

Do you use n8n? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. PATCH

    Upgrade to n8n >= 1.114.0 immediately — this is the only complete fix.

  2. RESTRICT

    Remove workflow creation/modification rights from non-essential accounts. Apply least-privilege to n8n roles.

  3. AUDIT

    Search existing workflows for Respond to Webhook nodes returning HTML with <script> tags or event handlers. Script: grep across workflow exports or query n8n DB for webhook response nodes with HTML content type.

  4. PROXY

    If immediate patching is blocked, deploy a WAF or reverse proxy rule to strip executable script tags from n8n webhook responses at the network layer.

  5. ROTATE

    After patching, rotate all API keys stored as n8n credentials as a precaution if the instance was accessible to untrusted users.

  6. DETECT

    Monitor for unexpected outbound HTTP requests from n8n instances (credential exfil indicator).

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0011 AML.T0049 AML.T0053 AML.T0081 AML.T0083 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.4 - AI system risk management A.6.2 - Controls for responsible AI development and deployment
NIST AI RMF
GOVERN 6.2 - Policies and procedures are in place to address AI risk MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to address the identified bias, risks, and other problems
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-61914?

If your team uses n8n for AI workflow automation, patch to 1.114.0 immediately — any user with workflow creation rights can plant persistent XSS that executes against admins, exposing API keys and LLM credentials stored in the platform. The scope-changed rating (S:C) means a low-privilege attacker reaches beyond their own session. Until patched, lock workflow creation to vetted personnel only and audit existing workflows for suspicious HTML payloads in Respond to Webhook nodes.

Is CVE-2025-61914 actively exploited?

No confirmed active exploitation of CVE-2025-61914 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-61914?

1. PATCH: Upgrade to n8n >= 1.114.0 immediately — this is the only complete fix. 2. RESTRICT: Remove workflow creation/modification rights from non-essential accounts. Apply least-privilege to n8n roles. 3. AUDIT: Search existing workflows for Respond to Webhook nodes returning HTML with <script> tags or event handlers. Script: grep across workflow exports or query n8n DB for webhook response nodes with HTML content type. 4. PROXY: If immediate patching is blocked, deploy a WAF or reverse proxy rule to strip executable script tags from n8n webhook responses at the network layer. 5. ROTATE: After patching, rotate all API keys stored as n8n credentials as a precaution if the instance was accessible to untrusted users. 6. DETECT: Monitor for unexpected outbound HTTP requests from n8n instances (credential exfil indicator).

What systems are affected by CVE-2025-61914?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, LLM integration layers, API orchestration.

What is the CVSS score for CVE-2025-61914?

CVE-2025-61914 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

agent frameworksworkflow automation pipelinesLLM integration layersAPI orchestration

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0083 Credentials from AI Agent Configuration
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 8.4, A.6.2
NIST AI RMF: GOVERN 6.2, MANAGE 2.2
OWASP LLM Top 10: LLM02, LLM07

What are the technical details?

Original Advisory

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.

Exploitation Scenario

An attacker registers or compromises a low-privilege n8n account in an organization using n8n for AI agent orchestration. They create a workflow with a Respond to Webhook node configured to return HTML containing a credential-harvesting JavaScript payload: the script reads document.cookie and localStorage, then exfiltrates them to an attacker-controlled endpoint. The attacker shares the workflow or triggers a context that causes an admin to view its output. The script fires in the top-level n8n window context (bypassing the 1.103.0 sandbox), capturing the admin's session token. With admin access, the attacker modifies existing AI agent workflows to exfiltrate LLM responses, pivot to connected databases, or poison AI pipeline inputs — all without triggering additional authentication prompts.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
December 26, 2025
Last Modified
December 31, 2025
First Seen
December 26, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed