AI Threat Alert AI Threat Alert

CVE-2025-61914: n8n: XSS enables session hijacking

MEDIUM
Published December 26, 2025
CISO Take

If your team uses n8n for AI workflow automation, patch to 1.114.0 immediately — any user with workflow creation rights can plant persistent XSS that executes against admins, exposing API keys and LLM credentials stored in the platform. The scope-changed rating (S:C) means a low-privilege attacker reaches beyond their own session. Until patched, lock workflow creation to vetted personnel only and audit existing workflows for suspicious HTML payloads in Respond to Webhook nodes.

Risk Assessment

CVSS 5.4 understates operational risk in AI-agent contexts. n8n frequently stores LLM API keys, database credentials, and webhook secrets — all reachable via session hijacking from a successful XSS. The Scope:Changed vector confirms attacker impact extends beyond the vulnerable component into the broader n8n instance. Stored XSS is persistent: a single malicious workflow infects every privileged user who views it. Real-world risk is MEDIUM-HIGH for organizations running n8n as their AI agent orchestration layer.

Affected Systems

Package Ecosystem Vulnerable Range Patched
n8n npm No patch
186.5K OpenSSF 6.0 16 dependents Pushed 6d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade to n8n >= 1.114.0 immediately — this is the only complete fix.

  2. RESTRICT

    Remove workflow creation/modification rights from non-essential accounts. Apply least-privilege to n8n roles.

  3. AUDIT

    Search existing workflows for Respond to Webhook nodes returning HTML with <script> tags or event handlers. Script: grep across workflow exports or query n8n DB for webhook response nodes with HTML content type.

  4. PROXY

    If immediate patching is blocked, deploy a WAF or reverse proxy rule to strip executable script tags from n8n webhook responses at the network layer.

  5. ROTATE

    After patching, rotate all API keys stored as n8n credentials as a precaution if the instance was accessible to untrusted users.

  6. DETECT

    Monitor for unexpected outbound HTTP requests from n8n instances (credential exfil indicator).

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Agent Framework Plugin AML.T0011 AML.T0049 AML.T0053 AML.T0081 AML.T0083 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.4 - AI system risk management A.6.2 - Controls for responsible AI development and deployment
NIST AI RMF
GOVERN 6.2 - Policies and procedures are in place to address AI risk MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to address the identified bias, risks, and other problems
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-61914?

If your team uses n8n for AI workflow automation, patch to 1.114.0 immediately — any user with workflow creation rights can plant persistent XSS that executes against admins, exposing API keys and LLM credentials stored in the platform. The scope-changed rating (S:C) means a low-privilege attacker reaches beyond their own session. Until patched, lock workflow creation to vetted personnel only and audit existing workflows for suspicious HTML payloads in Respond to Webhook nodes.

Is CVE-2025-61914 actively exploited?

No confirmed active exploitation of CVE-2025-61914 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-61914?

1. PATCH: Upgrade to n8n >= 1.114.0 immediately — this is the only complete fix. 2. RESTRICT: Remove workflow creation/modification rights from non-essential accounts. Apply least-privilege to n8n roles. 3. AUDIT: Search existing workflows for Respond to Webhook nodes returning HTML with <script> tags or event handlers. Script: grep across workflow exports or query n8n DB for webhook response nodes with HTML content type. 4. PROXY: If immediate patching is blocked, deploy a WAF or reverse proxy rule to strip executable script tags from n8n webhook responses at the network layer. 5. ROTATE: After patching, rotate all API keys stored as n8n credentials as a precaution if the instance was accessible to untrusted users. 6. DETECT: Monitor for unexpected outbound HTTP requests from n8n instances (credential exfil indicator).

What systems are affected by CVE-2025-61914?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, LLM integration layers, API orchestration.

What is the CVSS score for CVE-2025-61914?

CVE-2025-61914 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.

Exploitation Scenario

An attacker registers or compromises a low-privilege n8n account in an organization using n8n for AI agent orchestration. They create a workflow with a Respond to Webhook node configured to return HTML containing a credential-harvesting JavaScript payload: the script reads document.cookie and localStorage, then exfiltrates them to an attacker-controlled endpoint. The attacker shares the workflow or triggers a context that causes an admin to view its output. The script fires in the top-level n8n window context (bypassing the 1.103.0 sandbox), capturing the admin's session token. With admin access, the attacker modifies existing AI agent workflows to exfiltrate LLM responses, pivot to connected databases, or poison AI pipeline inputs — all without triggering additional authentication prompts.

Weaknesses (CWE)

CWE-79 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
December 26, 2025
Last Modified
December 31, 2025
First Seen
December 26, 2025

Related Vulnerabilities

CRITICAL CVE-2026-33663 10.0

n8n: member role steals plaintext HTTP credentials

Same package: n8n
CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same package: n8n
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same package: n8n
CRITICAL CVE-2026-27577 9.9

n8n: Code Injection enables RCE

Same package: n8n
CRITICAL CVE-2026-27494 9.9

n8n: security flaw enables exploitation

Same package: n8n
Back to Threat Feed