Plattform
nodejs
Komponente
typebot.io
Behoben in
3.13.2
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in Typebot, an open-source chatbot builder. This flaw, present in versions prior to 3.13.1, allows authenticated users to craft arbitrary HTTP requests from the server. Exploitation can bypass IMDSv2 protection, enabling attackers to retrieve temporary AWS IAM credentials associated with the EKS node role, potentially leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. The vulnerability is resolved in version 3.13.1.
The SSRF vulnerability in Typebot poses a significant threat to deployments leveraging AWS and Kubernetes. An attacker, once authenticated within the Typebot environment, can exploit the HTTP Request component's webhook functionality to send requests to internal services. Crucially, they can bypass IMDSv2 protection by injecting custom headers, allowing them to access the AWS Instance Metadata Service (IMDS). This grants access to temporary AWS IAM credentials used by the EKS node role. With these credentials, an attacker can escalate privileges, gain control over the Kubernetes cluster, and potentially compromise the entire AWS infrastructure associated with it. The blast radius extends to any data or services running within the cluster.
This vulnerability has a high probability of exploitation (EPSS score likely high) due to its ease of exploitation and the potential for significant impact. Public proof-of-concept code is likely to emerge given the SSRF nature and the ability to bypass IMDSv2. The vulnerability was publicly disclosed on 2025-11-13. It's crucial to assess if any Typebot instances are exposed to external networks or have weak authentication mechanisms.
Organizations deploying Typebot within Kubernetes environments, particularly those utilizing AWS EKS and relying on IAM roles for node authentication, are at significant risk. Shared hosting environments running Typebot are also vulnerable, as the SSRF could potentially be leveraged to access resources outside the intended scope.
• linux / server:
journalctl -u typebot -g "HTTP Request"• generic web:
curl -I <typebot_instance_url>/webhook/request | grep -i "x-aws-ec2-metadata"disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64709 is to immediately upgrade Typebot to version 3.13.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter network segmentation to limit outbound HTTP requests from the Typebot instance. Implement robust input validation and sanitization on all user-supplied data used in the HTTP Request component. Monitor Typebot logs for unusual outbound HTTP requests, particularly those targeting the AWS Instance Metadata Service (IMDS). Consider using a Web Application Firewall (WAF) to filter outbound requests and block those targeting sensitive endpoints. After upgrading, confirm the fix by attempting to trigger the webhook with a request to the AWS IMDS endpoint and verifying that the request is blocked.
Aktualisieren Sie Typebot auf Version 3.13.1 oder höher. Diese Version behebt die SSRF-Schwachstelle im Webhook Block. Das Update verhindert die mögliche Extraktion von AWS EKS Anmeldeinformationen und die Kompromittierung des Kubernetes-Clusters.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64709 is a critical SSRF vulnerability in Typebot versions up to 3.13.0, allowing attackers to extract AWS IAM credentials and compromise Kubernetes clusters.
You are affected if you are running Typebot version 3.13.0 or earlier. Upgrade to 3.13.1 to resolve the vulnerability.
Upgrade Typebot to version 3.13.1. As a temporary workaround, restrict outbound network access and implement strict input validation.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted. Monitor your systems and apply the patch promptly.
Refer to the Typebot project's official release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.