CVE-2025-52478 is a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting the n8n workflow automation platform versions from 1.77.0 up to but not including 1.98.2. The vulnerability resides specifically in the Form Trigger node's HTML form element, where insufficient input sanitization allows an authenticated attacker to inject malicious HTML content. The attack vectors include embedding an <iframe> with a crafted srcdoc attribute containing arbitrary JavaScript, or leveraging a combination of <video> and <source> tags with an onerror event handler to execute malicious scripts. This stored XSS enables attackers to exfiltrate sensitive session information such as the n8n-browserId and session cookies from other authenticated users who visit the compromised form. With these stolen tokens, attackers can impersonate victims, leading to account takeover (ATO). This includes the ability to modify critical account details like email addresses, potentially locking out legitimate users. The risk is exacerbated if two-factor authentication (2FA) is not enabled, as attackers can gain full control over the account without additional verification. The vulnerability requires the attacker to have authenticated access to inject the malicious payload and relies on victim user interaction to trigger the exploit by visiting the malicious form. The CVSS v3.1 score is 8.7, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, and partial privileges required. No known exploits in the wild have been reported as of the publication date. Users are strongly advised to upgrade to n8n version 1.98.2 or later, where the issue has been patched.

For European organizations using n8n for workflow automation, this vulnerability poses a significant risk to the confidentiality and integrity of their automation environments. Successful exploitation can lead to account takeover, allowing attackers to manipulate workflows, access sensitive data processed by n8n, and potentially pivot to other internal systems. Given that n8n is often used to integrate various services and automate business-critical processes, compromise could disrupt operations and lead to data breaches. The ability to change account details and bypass authentication controls increases the risk of persistent unauthorized access. Organizations without enforced 2FA are particularly vulnerable. Additionally, the stored nature of the XSS means that multiple users may be exposed once a malicious form is injected, amplifying the impact. The lack of known exploits in the wild suggests limited immediate threat, but the high CVSS score and ease of exploitation by authenticated users necessitate prompt remediation to prevent potential targeted attacks.

1. Upgrade n8n installations to version 1.98.2 or later immediately to apply the official patch addressing this vulnerability. 2. Enforce strong authentication policies, including mandatory two-factor authentication (2FA) for all users to reduce the risk of account takeover. 3. Restrict access to the Form Trigger node configuration to only trusted and necessary users to minimize the attack surface. 4. Implement strict input validation and sanitization on any custom forms or user-generated content within n8n workflows, if customization is used. 5. Monitor logs and user activity for unusual behavior indicative of account compromise, such as unexpected changes to account details or workflow configurations. 6. Educate users about the risks of clicking on untrusted links or forms within the n8n environment to reduce the likelihood of triggering malicious payloads. 7. Consider network segmentation and limiting n8n access to trusted networks to reduce exposure. 8. Regularly review and audit n8n workflows and nodes for unauthorized modifications or suspicious content.