CVE-2025-52478 Information

Aug 20, 2025 cve

Description

n8n is a workflow automation platform. From 1.77.0 to before 1.98.2 a stored Cross-Site Scripting (XSS) vulnerability was identified in n8n specifically in the Form Trigger node’s HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using <video> coupled <source> using an onerror event. While using iframe or a combination of video and source tag this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies an attacker can impersonate the victim and change account details such as email addresses enabling full control over the account—especially if 2FA is not enabled. Users should upgrade to version >= 1.98.2.</p> <h2 id="reference">Reference</h2> <p><a href="https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500"><em><strong>https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500</strong></em></a> <a href="https://github.com/n8n-io/n8n/pull/16329"><em><strong>https://github.com/n8n-io/n8n/pull/16329</strong></em></a> <a href="https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2"><em><strong>https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2</strong></em></a></p> <h2 id="related-cnnvd">Related CNNVD</h2> <p><a href="/CNNVD-202508-2180/">CNNVD-202508-2180</a> (Published: 2025-08-19)</p> <style> #share-buttons {display: inline-block; vertical-align: middle; } #share-buttons:after {content: ""; display: block; clear: both;} #share-buttons > div { position: relative; text-align: left; height: 36px; width: 32px; float: left; text-align: center; } #share-buttons > div > svg {height: 16px; fill: #09de25; margin-top: 10px;} #share-buttons > div:hover {cursor: pointer;} #share-buttons > div.facebook:hover > svg {fill: #09ad1e;} #share-buttons > div.twitter:hover > svg {fill: #09ad1e;} #share-buttons > div.linkedin:hover > svg {fill: #09ad1e;} #share-buttons > div.pinterest:hover > svg {fill: #09ad1e;} #share-buttons > div.gplus:hover > svg {fill: #09ad1e;} #share-buttons > div.mail:hover > svg {fill: #09ad1e;} #share-buttons > div.instagram:hover > svg {fill: #09ad1e;} #share-buttons > div.facebook > svg {height: 18px; margin-top: 9px;} #share-buttons > div.twitter > svg {height: 20px; margin-top: 8px;} #share-buttons > div.linkedin > svg {height: 19px; margin-top: 7px;} #share-buttons > div.pinterest > svg {height: 20px; margin-top: 9px;} #share-buttons > div.mail > svg {height: 14px; margin-top: 11px;} </style> <span style="color: limegreen;">Share on: </span><div id="share-buttons"> <div class="facebook" title="Share this on Facebook" onclick="window.open('http://www.facebook.com/share.php?u=https:\/\/jamesbrine.com.au\/cve-2025-52478-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1343 12v264h-157q-86 0-116 36t-30 108v189h293l-39 296h-254v759h-306v-759h-255v-296h255v-218q0-186 104-288.5t277-102.5q147 0 228 12z"/></svg></div> <div class="twitter" title="Share this on Twitter" onclick="window.open('http://twitter.com/home?status=https:\/\/jamesbrine.com.au\/cve-2025-52478-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1684 408q-67 98-162 167 1 14 1 42 0 130-38 259.5t-115.5 248.5-184.5 210.5-258 146-323 54.5q-271 0-496-145 35 4 78 4 225 0 401-138-105-2-188-64.5t-114-159.5q33 5 61 5 43 0 85-11-112-23-185.5-111.5t-73.5-205.5v-4q68 38 146 41-66-44-105-115t-39-154q0-88 44-163 121 149 294.5 238.5t371.5 99.5q-8-38-8-74 0-134 94.5-228.5t228.5-94.5q140 0 236 102 109-21 205-78-37 115-142 178 93-10 186-50z"/></svg></div> <div class="linkedin" title="Share this on Linkedin" onclick="window.open('https://www.linkedin.com/shareArticle?mini=true&url=https:\/\/jamesbrine.com.au\/cve-2025-52478-information\/&title=&summary=&source=');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M477 625v991h-330v-991h330zm21-306q1 73-50.5 122t-135.5 49h-2q-82 0-132-49t-50-122q0-74 51.5-122.5t134.5-48.5 133 48.5 51 122.5zm1166 729v568h-329v-530q0-105-40.5-164.5t-126.5-59.5q-63 0-105.5 34.5t-63.5 85.5q-11 30-11 81v553h-329q2-399 2-647t-1-296l-1-48h329v144h-2q20-32 41-56t56.5-52 87-43.5 114.5-15.5q171 0 275 113.5t104 332.5z"/></svg></div> <div class="mail" title="Share this through Email" onclick="window.open('mailto:?&body=https:\/\/jamesbrine.com.au\/cve-2025-52478-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1792 710v794q0 66-47 113t-113 47h-1472q-66 0-113-47t-47-113v-794q44 49 101 87 362 246 497 345 57 42 92.5 65.5t94.5 48 110 24.5h2q51 0 110-24.5t94.5-48 92.5-65.5q170-123 498-345 57-39 100-87zm0-294q0 79-49 151t-122 123q-376 261-468 325-10 7-42.5 30.5t-54 38-52 32.5-57.5 27-50 9h-2q-23 0-50-9t-57.5-27-52-32.5-54-38-42.5-30.5q-91-64-262-182.5t-205-142.5q-62-42-117-115.5t-55-136.5q0-78 41.5-130t118.5-52h1472q65 0 112.5 47t47.5 113z"/></svg></div> </div> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle" style="display:block" data-ad-format="fluid" data-ad-layout-key="-gu-18+5g-2f-83" data-ad-client="ca-pub-8803350446980282" data-ad-slot="1897330987"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> </article> </div> </div> </body> </html>