CVE

CVE-2025-64709

Typebot May Expose AWS EKS Credentials via Server Side Request Forgery in Webhook Block

CVE

CVE-2025-64709

Typebot May Expose AWS EKS Credentials via Server Side Request Forgery in Webhook Block

Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

9.6

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64709.json, https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr, https://nvd.nist.gov/vuln/detail/CVE-2025-64709

Severity

9.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.6

EPSS Probability

0.00042%

EPSS Percentile

0.12464%

Introduced Version

Fix Available

6655635da7c854368735bc70b53bfc7534badffd

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-64709

CVE-2025-64709

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.6

Basic Information

Fix Critical Vulnerabilities Instantly