1  info:
 2    name: langchain
 3    cve: CVE-2025-58177
 4    summary: Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter.
 5    details: |
 6      A stored Cross-Site Scripting (XSS) vulnerability exists in the `@n8n/n8n-nodes-langchain.chatTrigger` node in n8n.
 7      If an authorized user configures the node with malicious JavaScript in the `initialMessages` field and enables public access,
 8      the script will execute in the browser of anyone who visits the resulting public chat URL.
 9      This could lead to phishing, cookie theft, or other sensitive data exfiltration.
10    cvss: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
11    severity: MEDIUM
12    security_advise: |
13      1. Upgrade to n8n version 1.107.0 or later.
14      2. As a workaround, disable the `n8n-nodes-langchain.chatTrigger` node.
15    references:
16      - https://github.com/n8n-io/n8n/security/advisories/GHSA-mvh4-2cm2-6hpg
17      - https://nvd.nist.gov/vuln/detail/CVE-2025-58177
18      - https://github.com/n8n-io/n8n/pull/18148
19      - https://github.com/n8n-io/n8n/commit/d4ef191be0b39b65efa68559a3b8d5dad2e102b2
20      - https://docs.n8n.io/hosting/securing/blocking-nodes
21      - https://github.com/n8n-io/n8n
22  rule: version >= "1.24.0" && version < "1.107.0"