Server-Side Request Forgery Vulnerability in Typebot Chatbot Builder from Typebot
CVE-2025-64709

9.6CRITICAL

Key Information:

Vendor: Baptistearno
Status: Typebot.io
Vendor: CVE Published:; 13 November 2025

🔔 Create Baptistearno Vulnerability Alert

What is CVE-2025-64709?

The Typebot chatbot builder, specifically in versions prior to 3.13.1, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability in its webhook block functionality. This security flaw allows authenticated users to issue arbitrary HTTP requests from the server. Notably, it can be exploited to access the AWS Instance Metadata Service (IMDS). Attackers can circumvent IMDSv2 protections via custom header manipulation, which may allow them to retrieve temporary AWS IAM credentials tied to the EKS node role. This can lead to a situation where an attacker gains full control over the Kubernetes cluster and the associated AWS infrastructure. Users are urged to update to version 3.13.1 or later to remediate this vulnerability.

Affected Version(s)

typebot.io < 3.13.1

References

https://github.com/baptisteArno/typebot.io/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

JSON