GHSA-q4fm-pjq6-m63g — MEDIUM (CVSS 5.4)

Q: Is GHSA-q4fm-pjq6-m63g actively exploited?

No confirmed active exploitation of GHSA-q4fm-pjq6-m63g has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-q4fm-pjq6-m63g?

1. PATCH: Upgrade n8n to 2.12.0, 2.11.2 (2.x branch), or 1.123.25 (1.x branch) immediately. 2. AUDIT: Review all existing Form Trigger nodes for suspicious CSS or HTML content, especially inline styles or script-like patterns in form field definitions. 3. RBAC: Restrict workflow create/modify permissions to fully trusted users only — revoke from any accounts not strictly requiring it. 4. DISABLE: If upgrading is not immediately possible, add 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable to disable the node entirely. 5. MONITOR: Log all form trigger node creations and modifications; alert on changes by non-admin accounts. 6. VERIFY: After patching, confirm no malicious payloads persist in existing form configurations by re-exporting and inspecting workflow JSON.

Q: What systems are affected by GHSA-q4fm-pjq6-m63g?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, human-in-the-loop AI systems, data collection pipelines.

Q: What is the CVSS score for GHSA-q4fm-pjq6-m63g?

GHSA-q4fm-pjq6-m63g has a CVSS v3.1 base score of 5.4 (MEDIUM).

CISO Take

Any authenticated n8n user with workflow edit rights can plant a persistent XSS payload in a public Form Trigger node, silently hijacking form submissions and phishing every visitor until patched. Upgrade to n8n 2.12.0, 2.11.2, or 1.123.25 immediately. If patching is delayed, lock down workflow creation to fully trusted users only and consider disabling the Form Trigger node entirely via NODES_EXCLUDE.

What is the risk?

CVSS 5.4 Medium understates operational risk for organizations using n8n as an AI agent orchestration platform. The stored nature of the XSS means a single exploit persists and affects every future form visitor without requiring repeated attacker interaction. The attack requires only low-privilege authenticated access (workflow creator), a role commonly granted in team deployments. Existing CSP mitigates session cookie theft but does not prevent script execution, form action manipulation, or credential harvesting. Risk is elevated for any n8n instance with externally published forms collecting user data or credentials.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	>= 2.0.0-rc.0, < 2.11.2	`2.11.2`
187.3K OpenSSF 6.1 16 dependents Pushed 3d ago 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C Low

I Low

A None

What should I do?

6 steps

PATCH

Upgrade n8n to 2.12.0, 2.11.2 (2.x branch), or 1.123.25 (1.x branch) immediately.
AUDIT

Review all existing Form Trigger nodes for suspicious CSS or HTML content, especially inline styles or script-like patterns in form field definitions.
RBAC

Restrict workflow create/modify permissions to fully trusted users only — revoke from any accounts not strictly requiring it.
DISABLE

If upgrading is not immediately possible, add 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable to disable the node entirely.
MONITOR

Log all form trigger node creations and modifications; alert on changes by non-admin accounts.
VERIFY

After patching, confirm no malicious payloads persist in existing form configurations by re-exporting and inspecting workflow JSON.

Classification

Social Engineering Data Extraction Agent Framework AML.T0011 - User Execution AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Security by Design

NIST AI RMF

MS-2.5 - Testing and Evaluation of AI System Security

OWASP LLM Top 10

LLM05 - Improper Output Handling

Frequently Asked Questions

What is GHSA-q4fm-pjq6-m63g?

Any authenticated n8n user with workflow edit rights can plant a persistent XSS payload in a public Form Trigger node, silently hijacking form submissions and phishing every visitor until patched. Upgrade to n8n 2.12.0, 2.11.2, or 1.123.25 immediately. If patching is delayed, lock down workflow creation to fully trusted users only and consider disabling the Form Trigger node entirely via NODES_EXCLUDE.

Is GHSA-q4fm-pjq6-m63g actively exploited?

No confirmed active exploitation of GHSA-q4fm-pjq6-m63g has been reported, but organizations should still patch proactively.

How to fix GHSA-q4fm-pjq6-m63g?

1. PATCH: Upgrade n8n to 2.12.0, 2.11.2 (2.x branch), or 1.123.25 (1.x branch) immediately. 2. AUDIT: Review all existing Form Trigger nodes for suspicious CSS or HTML content, especially inline styles or script-like patterns in form field definitions. 3. RBAC: Restrict workflow create/modify permissions to fully trusted users only — revoke from any accounts not strictly requiring it. 4. DISABLE: If upgrading is not immediately possible, add 'n8n-nodes-base.formTrigger' to the NODES_EXCLUDE environment variable to disable the node entirely. 5. MONITOR: Log all form trigger node creations and modifications; alert on changes by non-admin accounts. 6. VERIFY: After patching, confirm no malicious payloads persist in existing form configurations by re-exporting and inspecting workflow JSON.

What systems are affected by GHSA-q4fm-pjq6-m63g?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow automation pipelines, human-in-the-loop AI systems, data collection pipelines.

What is the CVSS score for GHSA-q4fm-pjq6-m63g?

GHSA-q4fm-pjq6-m63g has a CVSS v3.1 base score of 5.4 (MEDIUM).

Technical Details

NVD Description

## Impact An authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation. ## Patches The issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later to remediate the vulnerability. ## Workarounds If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Exploitation Scenario

A threat actor gains n8n credentials for a standard workflow creator account — via phishing, credential stuffing, or insider access. They modify an existing published workflow's Form Trigger node, embedding a JavaScript payload disguised as a CSS style value that bypasses the flawed sanitization. The form URL is shared broadly (via email, Slack, or embedded in a customer portal). Every user who opens the form executes the attacker's script: it silently clones the form submission and POSTs credentials or PII to an attacker-controlled endpoint before forwarding the user to the legitimate destination. In AI agent contexts, this intercepts data intended for downstream LLM processing — poisoning the agent's inputs while harvesting user data in parallel.