CVE-2025-65098
Published: 22 January 2026
Summary
CVE-2025-65098 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Typebot Typebot. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Enforces rules governing access to the system and its data from external systems based on established trust relationships.
This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.
Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks.
Enforcing approved authorizations directly implements access control policies to block unauthorized access.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization flaw in a credential retrieval API combined with client-side JavaScript execution in a malicious chatbot preview, directly enabling theft of application access tokens/keys and browser-based script execution for exfiltration.
NVD Description
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and…
more
exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
Deeper analysisAI
CVE-2025-65098 is a vulnerability in Typebot, an open-source chatbot builder, affecting versions prior to 3.13.2. It enables client-side script execution that allows attackers to steal all stored credentials from any user. The root cause lies in the `/api/trpc/credentials.getCredentials` endpoint, which returns plaintext API keys without verifying credential ownership, published on 2026-01-22.
Attackers can exploit this by creating a malicious typebot, which victims preview by clicking "Run." This triggers JavaScript execution in the victim's browser, exfiltrating sensitive data such as OpenAI keys, Google Sheets tokens, and SMTP passwords. Exploitation requires no privileges (PR:N) and is achievable remotely over the network (AV:N), though it demands user interaction (UI:R), resulting in a CVSS score of 7.4 with high confidentiality impact (C:H) in a changed scope (S:C).
Version 3.13.2 addresses the issue by fixing the credential retrieval flaw. Additional details are available in the GitHub security advisory at https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: openai