Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-52478
CVE-2025-52478:
JavaScript vulnerability analysis and mitigation
Overview
CVE-2025-52478 is a stored Cross-Site Scripting (XSS) vulnerability discovered in n8n's Form Trigger node's HTML form element, disclosed on December 2, 2024. The vulnerability affects versions 1.77.0 through 4.2.3 of the Jobify - Job Board WordPress Theme. This security issue allows authenticated attackers to inject malicious HTML via iframes with srcdoc payloads or through video/source tags with onerror events that can execute arbitrary JavaScript (Security Advisory).
Technical details
The vulnerability stems from improper neutralization of input during web page generation, classified as CWE-79. The attack can be executed through two primary vectors: injection of malicious HTML via iframes with srcdoc payloads, and injection of malicious JavaScript using video tags coupled with source tags utilizing onerror events. The vulnerability has received a CVSS v3.1 base score of 8.7 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating network attack vector, low attack complexity, and required user interaction (NVD).
Impact
The vulnerability enables Account Takeover (ATO) by allowing attackers to exfiltrate n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these stolen tokens and cookies, attackers can impersonate victims and modify account details, including email addresses, potentially gaining full control over the account. This is particularly severe for accounts without two-factor authentication enabled (Security Advisory).
Mitigation and workarounds
The vulnerability has been patched in version 1.98.2. For those unable to update immediately, several workarounds are available: configuring a reverse proxy to serve webhook requests from a different domain, disabling or restricting use of the Form Trigger node (particularly the HTML element type), and implementing a Content Security Policy (CSP) to block execution of inline scripts and disallow use of srcdoc (Security Advisory).
Community reactions
The vulnerability was addressed through PR #16329, which received attention from the development community. The fix was subsequently released in version 1.98.2 and backported to ensure broader protection across different versions (GitHub PR).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management