Description

n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scripting (XSS) vulnerability in @n8n/n8n-nodes-langchain.chatTrigger. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access so that the payload is executed in the browser of any user who visits the resulting public chat URL. This can be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link. The issue is fixed in version 1.107.0. Updating to 1.107.0 or later is recommended. As a workaround, the affected chatTrigger node can be disabled. No other workarounds are known.

INFO

Published Date :

2025-09-15T16:49:06.949Z

Last Modified :

2025-09-15T17:27:13.707Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58177 vulnerability.

Vendors Products
N8n
  • N8n
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58177.

URL Resource
https://github.com/n8n-io/n8n/commit/d4ef191be0b39b65efa68559a3b8d5dad2e102b2 cve-icon cve-icon
https://github.com/n8n-io/n8n/pull/18148 cve-icon cve-icon
https://github.com/n8n-io/n8n/security/advisories/GHSA-mvh4-2cm2-6hpg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact