Cyber Resilience

CVE-2025-65098

HighPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0002 5.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65098 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Typebot Typebot. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-65098 is a vulnerability in Typebot, an open-source chatbot builder, affecting versions prior to 3.13.2. It enables client-side script execution that allows attackers to steal all stored credentials from any user. The root cause lies in the `/api/trpc/credentials.getCredentials` endpoint, which returns plaintext API keys without verifying credential ownership, published on 2026-01-22.

Attackers can exploit this by creating a malicious typebot, which victims preview by clicking "Run." This triggers JavaScript execution in the victim's browser, exfiltrating sensitive data such as OpenAI keys, Google Sheets tokens, and SMTP passwords. Exploitation requires no privileges (PR:N) and is achievable remotely over the network (AV:N), though it demands user interaction (UI:R), resulting in a CVSS score of 7.4 with high confidentiality impact (C:H) in a changed scope (S:C).

Version 3.13.2 addresses the issue by fixing the credential retrieval flaw. Additional details are available in the GitHub security advisory at https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47.

EU & UK References

Vulnerability details

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and…

more

exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CVE describes an authorization flaw in a credential retrieval API combined with client-side JavaScript execution in a malicious chatbot preview, directly enabling theft of application access tokens/keys and browser-based script execution for exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21852Shared CWE-522
CVE-2026-27616Shared CWE-79
CVE-2026-32890Shared CWE-200, CWE-79
CVE-2026-40252Shared CWE-284, CWE-639
CVE-2026-44556Shared CWE-284, CWE-862
CVE-2025-69368Shared CWE-79
CVE-2026-41279Shared CWE-639
CVE-2025-0829Shared CWE-79
CVE-2026-44555Shared CWE-862
CVE-2026-3880Shared CWE-79

Affected Assets

typebot
typebot
≤ 3.13.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce that only the credential owner may retrieve plaintext keys via /api/trpc/credentials.getCredentials.

prevent

Would restrict the preview/Run function and credential endpoint to the minimum privileges needed, blocking cross-user access.

prevent

Enforces controlled information flows so that sensitive credentials cannot be exfiltrated to an unauthorized recipient during client-side preview execution.

References