CVE-2025-58177

Name of the Vulnerable Software and Affected Versions n8n versions 1.24.0 through 1.106.0

Description n8n is a workflow automation platform. A stored cross-site scripting (XSS) vulnerability exists in the @n8n/n8n-nodes-langchain.chatTrigger node. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access, leading to payload execution in the browser of any user who visits the resulting public chat URL. This could be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link.

Recommendations Update to version 1.107.0 or later. As a workaround, disable the @n8n/n8n-nodes-langchain.chatTrigger node.