n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints

Vulnerability

The Meta and Microsoft Teams trigger nodes in n8n (specifically facebookTrigger, whatsAppTrigger, facebookLeadAdsTrigger, and microsoftTeamsTrigger) contain an endpoint that reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers. This enables reflected cross-site scripting (XSS) in the n8n origin. All versions prior to 2.24.0 are affected [1][2].

Exploitation

An attacker must craft a URL containing a malicious query parameter and convince a logged-in n8n user to visit it (e.g., via email or social engineering). No special network access is required beyond delivering the link. When the user clicks the crafted URL, the browser executes the attacker's JavaScript in the context of the n8n application [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the n8n origin. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the logged-in user. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) indicates high confidentiality impact, low integrity impact, and no availability impact [1][2].

Mitigation

The vulnerability is fixed in n8n version 2.24.0. Users should upgrade to this version or later. If immediate upgrade is not possible, administrators can limit workflow creation and activation permissions to fully trusted users, or disable the affected nodes by adding n8n-nodes-base.facebookTrigger, n8n-nodes-base.whatsAppTrigger, n8n-nodes-base.facebookLeadAdsTrigger, and n8n-nodes-base.microsoftTeamsTrigger to the NODES_EXCLUDE environment variable. These workarounds do not fully remediate the risk and should only be used as short-term measures [1][2].