CVE-2025-61914: n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

December 26, 2025 (updated December 27, 2025)

A stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0.

This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface.

While session cookies (n8n-auth) are marked HttpOnly and cannot be directly exfiltrated, the vulnerability can facilitate Cross-Site Request Forgery (CSRF)-like actions from within the user’s authenticated session, potentially allowing:

Unauthorized reading of sensitive workflow data or execution history.
Unauthorized modification or deletion of workflows.
Insertion of malicious workflow logic or external data exfiltration steps.

n8n instances that allow untrusted users to create workflows are particularly impacted.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-61914 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →