n8n Stored Cross-Site Scripting Vulnerability in Form Trigger Node Allows Account Takeover

A stored Cross-Site Scripting (XSS) vulnerability has been identified in n8n versions 1.77.0 prior to 1.98.2. The issue resides in the Form Trigger node's HTML form element, where an authenticated attacker can inject malicious HTML, such as an iframe with a srcdoc payload executing arbitrary JavaScript. This vulnerability can also be exploited by using a video tag with a source tag that triggers an onerror event. The injected JavaScript can exfiltrate the n8n-browserId and session cookies from authenticated users who interact with the malicious form. This allows the attacker to impersonate the victim and gain control over their account, particularly if two-factor authentication is not enabled.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, with the injected JavaScript executed in the context of the user who interacts with the malicious form. This leads to Account Takeover by stealing session cookies and the n8n-browserId from the victim, enabling the attacker to impersonate the user and potentially change account details, such as the email address.

Reproduction

To reproduce this vulnerability, an authenticated user can create a Form Trigger node and inject malicious HTML into the form element. This can be done by adding an iframe with a srcdoc attribute that includes JavaScript, or by using a video tag with a source tag that utilizes the onerror event to execute JavaScript. Once the form is submitted, the injected JavaScript will be executed, exfiltrating the n8n-browserId and session cookies from the user.

Remediation

Users should upgrade to n8n version 1.98.2 or later. For n8n instance administrators, additional steps include configuring a reverse proxy to serve webhook requests from a different domain, disabling or restricting the use of the Form Trigger node, and implementing a Content Security Policy to block inline scripts and disallow the use of srcdoc.