Typebot Io
Monthly
{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.
Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.
{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.
Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.