CVE-2025-65098 Overview
CVE-2025-65098 is a Cross-Site Scripting (XSS) vulnerability in Typebot, an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution allows attackers to steal all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run," JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The /api/trpc/credentials.getCredentials endpoint returns plaintext API keys without verifying credential ownership.
Critical Impact
Attackers can steal sensitive credentials including OpenAI API keys, Google Sheets tokens, and SMTP passwords from any Typebot user who previews a malicious chatbot.
Affected Products
- Typebot versions prior to 3.13.2
- Typebot open-source chatbot builder (self-hosted instances)
- Typebot cloud instances running vulnerable versions
Discovery Timeline
- 2026-01-22 - CVE CVE-2025-65098 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-65098
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Cross-Site Scripting). The flaw exists in how Typebot handles user-generated content within chatbot configurations. Malicious JavaScript can be embedded within a typebot's configuration, which then executes in the context of any user who previews that chatbot.
The core issue is twofold: first, insufficient sanitization of chatbot content allows script injection; second, the /api/trpc/credentials.getCredentials API endpoint lacks proper ownership verification, returning plaintext credentials to any authenticated user making the request. This combination allows an attacker to craft a malicious chatbot that, when previewed, executes JavaScript to call the vulnerable API endpoint and exfiltrate the victim's stored credentials.
Root Cause
The root cause stems from improper input validation and missing authorization checks. The application fails to sanitize user-controlled content that gets rendered in the browser during chatbot preview functionality. Additionally, the credentials API endpoint does not verify that the requesting user owns the credentials being returned, creating an Insecure Direct Object Reference (IDOR) condition that compounds the XSS vulnerability.
Attack Vector
The attack is network-based and requires user interaction. An attacker creates a malicious typebot containing embedded JavaScript payloads. When a victim clicks the "Run" button to preview this chatbot, the malicious script executes in their browser session. The script then makes authenticated API calls to /api/trpc/credentials.getCredentials to retrieve the victim's stored credentials, including OpenAI API keys, Google Sheets OAuth tokens, and SMTP passwords. These credentials are then exfiltrated to an attacker-controlled server.
The vulnerability requires the attacker to social engineer a victim into previewing the malicious chatbot, but once triggered, provides complete access to the victim's stored credentials without further interaction.
Detection Methods for CVE-2025-65098
Indicators of Compromise
- Unexpected outbound network requests from the Typebot application to unknown domains
- Unusual API calls to /api/trpc/credentials.getCredentials from client-side scripts
- JavaScript payloads embedded within typebot configurations containing suspicious function calls (e.g., fetch, XMLHttpRequest, document.cookie)
- Access logs showing credential retrieval requests followed by external data exfiltration
Detection Strategies
- Monitor network traffic for outbound connections to suspicious domains originating from users' browser sessions while using Typebot
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Review typebot configurations for embedded script tags or event handlers that could execute malicious code
- Audit API access logs for the /api/trpc/credentials.getCredentials endpoint to identify anomalous access patterns
Monitoring Recommendations
- Deploy web application firewalls (WAF) with XSS detection rules to identify malicious payloads in typebot content
- Enable verbose logging on the Typebot API server to track credential access requests
- Implement alerting for bulk or rapid credential retrieval API calls that may indicate exploitation
- Monitor for unauthorized use of stolen credentials (OpenAI API anomalies, Google Sheets access from unknown IPs, SMTP authentication failures)
How to Mitigate CVE-2025-65098
Immediate Actions Required
- Upgrade Typebot to version 3.13.2 or later immediately
- Rotate all stored credentials (OpenAI API keys, Google Sheets tokens, SMTP passwords) that may have been exposed
- Review access logs for any signs of credential theft or unauthorized API access
- Implement CSP headers as an additional defense layer while patching is in progress
Patch Information
The vulnerability is fixed in Typebot version 3.13.2. Users should upgrade to this version or later to remediate the issue. The patch addresses both the XSS vulnerability in chatbot preview functionality and adds proper ownership verification to the credentials API endpoint.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the Typebot instance to trusted users only until the patch can be applied
- Implement strict Content Security Policy headers to prevent inline script execution and limit allowed script sources
- Disable or restrict the chatbot preview functionality if possible until patching is complete
- Use network segmentation to limit outbound connections from the Typebot application
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
