CVE-2025-58177 (CNNVD-202509-2017)
中文标题:
n8n 跨站脚本漏洞
英文标题:
n8n stored cross-site scripting in LangChain Chat Trigger node initialMessages parameter
漏洞描述
中文描述:
n8n是n8n开源的一个可扩展的工作流自动化工具。 n8n 1.24.0版本至1.107.0之前版本存在跨站脚本漏洞,该漏洞源于initialMessages字段存在存储型跨站脚本,可能导致钓鱼攻击或窃取用户敏感数据。
英文描述:
n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scripting (XSS) vulnerability in @n8n/n8n-nodes-langchain.chatTrigger. An authorized user can configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access so that the payload is executed in the browser of any user who visits the resulting public chat URL. This can be used for phishing or to steal cookies or other sensitive data from users accessing the public chat link. The issue is fixed in version 1.107.0. Updating to 1.107.0 or later is recommended. As a workaround, the affected chatTrigger node can be disabled. No other workarounds are known.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| n8n-io | n8n | >= 1.24.0, < 1.107.0 | - | - |
cpe:2.3:a:n8n-io:n8n:>=_1.24.0,_<_1.107.0:*:*:*:*:*:*:*
|
| n8n | n8n | * | - | - |
cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-58177 |
2025-11-11 15:23:30 | 2025-11-11 07:40:45 |
| NVD | nvd_CVE-2025-58177 |
2025-11-11 15:01:02 | 2025-11-11 07:48:32 |
| CNNVD | cnnvd_CNNVD-202509-2017 |
2025-11-11 15:12:57 | 2025-11-11 08:00:11 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 跨站脚本
- cnnvd_id: 未提取 -> CNNVD-202509-2017
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']