PT-2025-37731 · N8N · @N8N/N8N-Nodes-Langchain.Chattrigger+1
5H0Lm3S
+1
·
Published
2025-09-15
·
Updated
2025-10-14
·
CVE-2025-58177
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
n8n versions 1.24.0 through 1.106.0
Description
n8n is a workflow automation platform. A stored cross-site scripting (XSS) vulnerability exists in the
@n8n/n8n-nodes-langchain.chatTrigger node. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access, leading to payload execution in the browser of any user who visits the resulting public chat URL. This could be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link.Recommendations
Update to version 1.107.0 or later.
As a workaround, disable the
@n8n/n8n-nodes-langchain.chatTrigger node.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@N8N/N8N-Nodes-Langchain.Chattrigger
N8N