CVE-2025-64709CRITICAL 9.9EPSS p24.5%

CVE-2025-64709CVE-2025-64709

Description

Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.5% · 2026-06-19T12:03:05Z
Published2025-11-13
Last modified2026-01-30

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33712
CVE
CVE-2026-28445
CVE
CVE-2026-42864
CVE
CVE-2026-42398
CVE
CVE-2026-22742
CVE
CVE-2025-62616
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.