CVE-2025-49592 (GCVE-0-2025-49592)
Vulnerability from cvelistv5 – Published: 2025-06-26 19:45 – Updated: 2025-06-26 19:57
VLAI?
Summary
n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.
Severity ?
4.6 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T19:56:57.301467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T19:57:19.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n8n",
"vendor": "n8n-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.98.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T19:45:27.862Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f"
},
{
"name": "https://github.com/n8n-io/n8n/pull/16034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/n8n-io/n8n/pull/16034"
},
{
"name": "https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e"
},
{
"name": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0"
}
],
"source": {
"advisory": "GHSA-5vj6-wjr7-5v9f",
"discovery": "UNKNOWN"
},
"title": "n8n Login Flow has Open Redirect Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49592",
"datePublished": "2025-06-26T19:45:27.862Z",
"dateReserved": "2025-06-06T15:44:21.556Z",
"dateUpdated": "2025-06-26T19:57:19.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49592\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-26T20:15:29.323\",\"lastModified\":\"2025-09-02T17:52:02.590\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.\"},{\"lang\":\"es\",\"value\":\"n8n es una plataforma de automatizaci\u00f3n de flujos de trabajo. Las versiones anteriores a la 1.98.0 presentan una vulnerabilidad de redirecci\u00f3n abierta en el flujo de inicio de sesi\u00f3n. Tras iniciar sesi\u00f3n, los usuarios autenticados pueden ser redirigidos a dominios no confiables, controlados por atacantes, mediante la manipulaci\u00f3n de URL maliciosas con un par\u00e1metro de consulta de redirecci\u00f3n enga\u00f1oso. Esto puede provocar ataques de phishing al suplantar la interfaz de usuario de n8n en dominios similares (p. ej., n8n.local.evil.com), robo de credenciales o de 2FA si se enga\u00f1a a los usuarios para que vuelvan a introducir informaci\u00f3n confidencial, o riesgo para la reputaci\u00f3n debido a la similitud visual entre los dominios controlados por atacantes y los de confianza. La vulnerabilidad afecta a cualquiera que aloje n8n y exponga el endpoint `/signin` a los usuarios. El problema se ha corregido en la versi\u00f3n 1.98.0. Todos los usuarios deben actualizar a esta versi\u00f3n o una posterior. La correcci\u00f3n introduce una validaci\u00f3n de origen estricta para las URL de redirecci\u00f3n, lo que garantiza que solo se permitan rutas del mismo origen o relativas tras el inicio de sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.98.0\",\"matchCriteriaId\":\"EAA9494C-2EB9-413F-AB71-174D564B395F\"}]}]}],\"references\":[{\"url\":\"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/n8n-io/n8n/pull/16034\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49592\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-26T19:56:57.301467Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-26T19:57:03.389Z\"}}], \"cna\": {\"title\": \"n8n Login Flow has Open Redirect Vulnerability\", \"source\": {\"advisory\": \"GHSA-5vj6-wjr7-5v9f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"n8n-io\", \"product\": \"n8n\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.98.0\"}]}], \"references\": [{\"url\": \"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f\", \"name\": \"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/n8n-io/n8n/pull/16034\", \"name\": \"https://github.com/n8n-io/n8n/pull/16034\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e\", \"name\": \"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0\", \"name\": \"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-26T19:45:27.862Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49592\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-26T19:57:19.559Z\", \"dateReserved\": \"2025-06-06T15:44:21.556Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-26T19:45:27.862Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…