Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0.
AnalysisAI
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.
Technical ContextAI
Typebot is an open-source chatbot builder maintained by baptisteArno (CPE cpe:2.3:a:baptistearno:typebot.io). The vulnerable component is the HTTP Request integration block (packages/bot-engine/src/blocks/integrations/httpRequest/executeHttpRequestBlock.ts) which used the ky HTTP client directly against user-supplied URLs. The root cause maps to CWE-20 (Improper Input Validation): URL validation checked the textual form against a blocklist of literal hostnames and IP-formatted strings, but never resolved the hostname to its actual A/AAAA records before issuing the request. This is a classic DNS-rebinding-class SSRF gap where validation and resolution are decoupled. The fix introduces a safeKy wrapper that performs DNS resolution and rejects link-local (169.254.0.0/16), loopback, and private (e.g., 10.0.0.0/8) destinations, and additionally hardens against redirect-chain bypasses by validating each Location header before following with a maxRedirects cap of 10.
RemediationAI
Vendor-released patch: upgrade to Typebot 3.16.0 or later, which replaces the unguarded ky client with a safeKy wrapper that performs DNS resolution and blocks loopback, link-local, and RFC1918 destinations, and validates each redirect target (see commit https://github.com/baptisteArno/typebot.io/commit/23818bb0e54db23c456ee3fa6b12d82b2af848b8 and advisory https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grcc-6x37-wwgp). If immediate upgrade is not possible, restrict the Typebot backend's network egress at the host or cloud layer by denying outbound traffic to 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 (trade-off: legitimate internal webhooks to these ranges will break), require IMDSv2 with hop-limit 1 on AWS to block cloud-metadata exfiltration via SSRF (trade-off: applications using IMDSv1 must be updated), and tighten account provisioning so only trusted authors can create HTTP Request/Webhook blocks since exploitation requires PR:L.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today