CVE-2025-65098
Published: 22 January 2026
Summary
CVE-2025-65098 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Typebot Typebot. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2025-65098 is a vulnerability in Typebot, an open-source chatbot builder, affecting versions prior to 3.13.2. It enables client-side script execution that allows attackers to steal all stored credentials from any user. The root cause lies in the `/api/trpc/credentials.getCredentials` endpoint, which returns plaintext API keys without verifying credential ownership, published on 2026-01-22.
Attackers can exploit this by creating a malicious typebot, which victims preview by clicking "Run." This triggers JavaScript execution in the victim's browser, exfiltrating sensitive data such as OpenAI keys, Google Sheets tokens, and SMTP passwords. Exploitation requires no privileges (PR:N) and is achievable remotely over the network (AV:N), though it demands user interaction (UI:R), resulting in a CVSS score of 7.4 with high confidentiality impact (C:H) in a changed scope (S:C).
Version 3.13.2 addresses the issue by fixing the credential retrieval flaw. Additional details are available in the GitHub security advisory at https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4135
Vulnerability details
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and…
more
exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: openai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization flaw in a credential retrieval API combined with client-side JavaScript execution in a malicious chatbot preview, directly enabling theft of application access tokens/keys and browser-based script execution for exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce that only the credential owner may retrieve plaintext keys via /api/trpc/credentials.getCredentials.
Would restrict the preview/Run function and credential endpoint to the minimum privileges needed, blocking cross-user access.
Enforces controlled information flows so that sensitive credentials cannot be exfiltrated to an unauthorized recipient during client-side preview execution.