n8n Stored Cross-Site Scripting Vulnerability in Webhook Response Node

A stored Cross-Site Scripting (XSS) vulnerability exists in n8n versions prior to 1.114.0, specifically within the 'Respond to Webhook' node. This vulnerability allows executable scripts in HTML responses to run in the top-level window, bypassing the sandbox introduced in version 1.103.0. As a result, a malicious actor with permission to create workflows could execute arbitrary JavaScript in the n8n editor interface. Although session cookies are marked 'HttpOnly' and cannot be directly accessed, this vulnerability could enable Cross-Site Request Forgery (CSRF)-like actions within the user's authenticated session, potentially leading to unauthorized access to sensitive workflow data, unauthorized modifications or deletions of workflows, or the insertion of malicious workflow logic.

Impact

Exploitation allows for stored Cross-Site Scripting, with executed scripts running in the context of the n8n editor interface, potentially leading to Cross-Site Request Forgery-like actions.

Remediation

Users can update to n8n version 1.114.0 or later. Additionally, it is recommended to restrict workflow creation and modification privileges to trusted users, avoid using untrusted HTML responses in the 'Respond to Webhook' node, and consider using an external reverse proxy or HTML sanitizer to filter responses containing executable scripts.