CVE-2025-61914 is a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting n8n, an open-source workflow automation platform, in versions prior to 1.114.0. The issue specifically involves the “Respond to Webhook” node, which when configured to respond with HTML content containing executable scripts, fails to properly sandbox this content. Instead of executing scripts within a secure iframe or sandboxed environment (introduced in version 1.103.0), the scripts execute directly in the top-level window context of the n8n editor interface. This improper neutralization of input (CWE-79) allows a malicious actor who has permissions to create or modify workflows to inject and execute arbitrary JavaScript code. Such code execution can lead to theft of session tokens, manipulation of workflows, or further pivoting within the n8n environment. The vulnerability requires the attacker to have workflow creation privileges and some user interaction (triggering the webhook response). Although no known exploits are reported in the wild yet, the vulnerability is significant due to the potential for privilege escalation and persistent code execution within the automation platform. The issue was addressed in n8n version 1.114.0 by enforcing proper sandboxing of webhook responses. Workarounds include restricting workflow creation/modification to trusted users, avoiding untrusted HTML in webhook responses, and deploying external reverse proxies or HTML sanitizers to filter malicious scripts.

For European organizations, this vulnerability poses a risk to the integrity and confidentiality of automation workflows managed via n8n. Successful exploitation could allow attackers to execute arbitrary JavaScript within the n8n editor, potentially leading to unauthorized access to sensitive workflow data, manipulation of automation processes, and disruption of business-critical operations. Since n8n is used for integrating various services and automating tasks, compromise could cascade into other connected systems, amplifying the impact. Organizations relying on n8n for internal or customer-facing automation workflows may face data leakage, workflow sabotage, or unauthorized privilege escalation. The vulnerability does not directly affect availability but can undermine trust in automation integrity. Given the increasing adoption of workflow automation in Europe, especially in sectors like finance, manufacturing, and public services, the impact could be significant if left unmitigated.

1. Upgrade all n8n instances to version 1.114.0 or later, where the vulnerability is patched with proper sandboxing of webhook responses. 2. Restrict workflow creation and modification privileges strictly to trusted and vetted users to reduce the attack surface. 3. Avoid using untrusted or user-supplied HTML content in the “Respond to Webhook” node to prevent injection of executable scripts. 4. Deploy an external reverse proxy or web application firewall (WAF) configured to sanitize or block HTML responses containing executable scripts from n8n webhook endpoints. 5. Implement monitoring and alerting on workflow changes and webhook responses to detect anomalous activity. 6. Educate administrators and developers on secure workflow design and the risks of injecting untrusted content. 7. Regularly audit user permissions and workflow configurations to ensure compliance with least privilege principles.