CVE-2025-58177: 
JavaScript 脆弱性の分析と軽減

A stored cross-site scripting (XSS) vulnerability was identified in n8n, an open source workflow automation platform, affecting versions 1.24.0 to before 1.107.0. The vulnerability (CVE-2025-58177) exists in the @n8n/n8n-nodes-langchain.chatTrigger component, where an authorized user could configure the LangChain Chat Trigger node with malicious JavaScript in the initialMessages field and enable public access (GitHub Advisory).

The vulnerability stems from insufficient sanitization of the initialMessages parameter in the ChatTrigger.webhook method. When a malicious payload is injected into the initialMessages field, it gets embedded into a JavaScript configuration object within the generated HTML page through the createPage function. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required user interaction (NVD).

When exploited, the vulnerability allows the payload to be executed in the browser of any user who visits the resulting public chat URL. This can be leveraged for phishing attacks or to steal cookies and other sensitive data from users accessing the public chat link (GitHub Advisory).

The vulnerability has been patched in version 1.107.0 of n8n. Users are recommended to upgrade to version 1.107.0 or later. As a temporary workaround, users can disable the affected chatTrigger node. The fix includes implementing comprehensive sanitization using the sanitize-html library and removing dangerous protocols like javascript:, data:, and vbscript: (GitHub PR).