Typebot CVE-2026-39965
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0.
AnalysisAI
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.
Technical ContextAI
Typebot (cpe:2.3:a:baptistearno:typebot.io) is an open-source chatbot builder whose HTTP Request and Code blocks let bot authors issue outbound HTTP calls from the server. The product implements a denylist-style SSRF guard (validateHttpReqUrl()) that inspects only the initial URL to reject private IP ranges and cloud metadata hostnames, but the HTTP transports used (ky on top of native fetch) transparently follow 302 redirects without invoking that validator again. This is a textbook CWE-918 (Server-Side Request Forgery) realized through an open-redirect-style bypass - the root cause is performing input validation only at the entry point rather than on every network hop the client traverses.
RemediationAI
Vendor-released patch: upgrade to Typebot 3.16.0 or later, as published at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 with advisory GHSA-jxv3-m939-w95c. If an immediate upgrade is not feasible, compensating controls include configuring the HTTP client (ky/fetch) to disable automatic redirect following or to re-run validateHttpReqUrl() on every redirect Location header, with the trade-off that legitimate workflows depending on redirect-based APIs (URL shorteners, OAuth-style flows) will break; at the network layer, block egress from the Typebot server to 169.254.169.254/32, RFC1918 ranges, and the container/Kubernetes internal CIDRs (this prevents the SSRF payoff but breaks any intentional internal HTTP calls the bot needs), and on AWS specifically enforce IMDSv2 with a hop limit of 1 to neutralize metadata credential theft from the application container. Restricting who can create or modify HTTP Request and Code blocks to a small, trusted set of editors is a temporary access-control mitigation but does not eliminate insider risk.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today