CVE-2025-65098 – This vulnerability in Typebot allows attackers ... (How to Fix)

Q: What is the severity of CVE-2025-65098?

CVE-2025-65098 has a CVSS score of 7.4 (HIGH). This vulnerability in Typebot allows attackers to steal stored credentials (OpenAI keys, Google Sheets tokens, SMTP passwords) from any user who previews a malicious chatbot. The flaw occurs because the credentials endpoint returns plaintext API keys without verifying ownership. All Typebot users running versions before 3.13.2 are affected.

📋 TL;DR

This vulnerability in Typebot allows attackers to steal stored credentials (OpenAI keys, Google Sheets tokens, SMTP passwords) from any user who previews a malicious chatbot. The flaw occurs because the credentials endpoint returns plaintext API keys without verifying ownership. All Typebot users running versions before 3.13.2 are affected.

💻 Affected Systems

Products:

Typebot

Versions: All versions prior to 3.13.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any Typebot instance with stored credentials (OpenAI, Google Sheets, SMTP) is vulnerable regardless of deployment method (self-hosted or cloud).

📦 What is this software?

Typebot by Typebot

View all CVEs affecting Typebot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all stored credentials leading to unauthorized access to third-party services (OpenAI, Google Sheets, email servers), potential data breaches, and financial loss.

🟠

Likely Case

Attackers steal API keys and tokens to access paid services, manipulate data in connected sheets, or send unauthorized emails, resulting in service abuse and data integrity issues.

🟢

If Mitigated

Limited impact if proper network segmentation and credential isolation are implemented, though credential exposure still poses risks.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited through malicious chatbots that users preview in their browsers, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal users could still be tricked into previewing malicious chatbots, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking 'Run' on a malicious typebot) but the technical complexity is low once the malicious typebot is created.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.2

Vendor Advisory: https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47

Restart Required: Yes

Instructions:

1. Backup your Typebot instance and database. 2. Update Typebot to version 3.13.2 or later using your deployment method (Docker, manual, etc.). 3. Restart the Typebot service. 4. Verify the update by checking the version in the admin interface.

🔧 Temporary Workarounds

Disable credential storage

all

Temporarily remove or disable all stored credentials (OpenAI keys, Google Sheets tokens, SMTP passwords) from Typebot configuration.

# Remove credential entries from Typebot configuration files or database

Restrict preview access

all

Limit access to typebot preview functionality to trusted users only through authentication or network controls.

# Configure web server (nginx/apache) to restrict /api/trpc/credentials.getCredentials endpoint

🧯 If You Can't Patch

Immediately rotate all stored credentials (OpenAI keys, Google Sheets tokens, SMTP passwords) and monitor for unauthorized usage.
Implement strict network segmentation to isolate Typebot instances and limit credential exposure to only necessary systems.

🔍 How to Verify

Check if Vulnerable:

Check if your Typebot version is below 3.13.2 in the admin interface or by inspecting the application metadata.

Check Version:

docker exec typebot-container cat /app/package.json | grep version

Verify Fix Applied:

Confirm version is 3.13.2 or higher and test that the /api/trpc/credentials.getCredentials endpoint now properly validates credential ownership.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /api/trpc/credentials.getCredentials endpoint
Multiple failed credential validation attempts
Unexpected outbound connections to external domains

Network Indicators:

HTTP requests to /api/trpc/credentials.getCredentials from untrusted sources
Outbound data exfiltration to suspicious domains

SIEM Query:

source="typebot-logs" AND (uri_path="/api/trpc/credentials.getCredentials" OR message="credential access")

📊 Metadata

CVE ID: CVE-2025-65098

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: January 22, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 Exploit,Vendor Advisory
https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65098, you might also want to check these: