AI Threat Alert

CVE-2025-65098: typebot: XSS enables session hijacking

HIGH PoC AVAILABLE CISA: TRACK*
Published January 22, 2026
CISO Take

Typebot versions prior to 3.13.2 expose a critical credential theft vector: any user tricked into previewing a malicious chatbot will have their OpenAI API keys, OAuth tokens, and SMTP credentials silently exfiltrated via XSS. Patch to 3.13.2 immediately and rotate all API credentials stored in Typebot instances — assume keys are compromised if any user previewed an untrusted bot. Organizations relying on Typebot-integrated LLM pipelines face unauthorized API usage, billing fraud, and downstream data exposure across connected AI services.

What is the risk?

High risk for any organization running Typebot for AI workflow automation. Exploitability is elevated: the attack requires only social engineering to convince a victim to click 'Run', no privileges needed, and the BOLA flaw on the credentials endpoint means XSS payload is sufficient to harvest all stored keys in one request. The CVSS 7.4 likely underestimates business impact — stolen OpenAI keys grant full LLM API access at victim's expense, enabling cost harvesting, model abuse, and indirect exposure of data from connected AI workflows.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
typebot No patch

Do you use typebot? You're affected.

How severe is it?

CVSS 3.1
7.4 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 21% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I None
A None

What should I do?

1 step

  1. 1) Upgrade Typebot to 3.13.2 immediately — patch is available, no workaround is viable. 2) Rotate ALL credentials stored in Typebot: OpenAI API keys, Google OAuth tokens, SMTP passwords — treat as compromised if any user previewed an untrusted bot. 3) Audit OpenAI API usage logs for anomalous calls in the past 30 days. 4) Check Google Workspace audit logs for unexpected Sheets access. 5) Add Content-Security-Policy headers blocking inline script execution as defense-in-depth. 6) Enforce credential ownership verification on all credential-returning API endpoints (BOLA fix). 7) Migrate to secrets managers (AWS Secrets Manager, HashiCorp Vault) instead of storing plaintext API keys in application databases. 8) Alert on mass credential read events from single sessions in API gateway logs.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Data Leakage API Framework Agent AML.T0011 AML.T0012 AML.T0025 AML.T0034 AML.T0049 AML.T0055 AML.T0083 AML.T0091.000 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - Information security in AI system lifecycle A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain the value of AI systems MANAGE-2.4 - Risk Treatment and Residual Risk
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-65098?

Typebot versions prior to 3.13.2 expose a critical credential theft vector: any user tricked into previewing a malicious chatbot will have their OpenAI API keys, OAuth tokens, and SMTP credentials silently exfiltrated via XSS. Patch to 3.13.2 immediately and rotate all API credentials stored in Typebot instances — assume keys are compromised if any user previewed an untrusted bot. Organizations relying on Typebot-integrated LLM pipelines face unauthorized API usage, billing fraud, and downstream data exposure across connected AI services.

Is CVE-2025-65098 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-65098, increasing the risk of exploitation.

How to fix CVE-2025-65098?

1) Upgrade Typebot to 3.13.2 immediately — patch is available, no workaround is viable. 2) Rotate ALL credentials stored in Typebot: OpenAI API keys, Google OAuth tokens, SMTP passwords — treat as compromised if any user previewed an untrusted bot. 3) Audit OpenAI API usage logs for anomalous calls in the past 30 days. 4) Check Google Workspace audit logs for unexpected Sheets access. 5) Add Content-Security-Policy headers blocking inline script execution as defense-in-depth. 6) Enforce credential ownership verification on all credential-returning API endpoints (BOLA fix). 7) Migrate to secrets managers (AWS Secrets Manager, HashiCorp Vault) instead of storing plaintext API keys in application databases. 8) Alert on mass credential read events from single sessions in API gateway logs.

What systems are affected by CVE-2025-65098?

This vulnerability affects the following AI/ML architecture patterns: chatbot platforms, LLM workflow automation, no-code AI builders, API integration pipelines, agent frameworks.

What is the CVSS score for CVE-2025-65098?

CVE-2025-65098 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.30%.

What is the AI security impact?

Affected AI Architectures

chatbot platformsLLM workflow automationno-code AI buildersAPI integration pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0091.000 Application Access Token
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.9.3, A.9.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.2, MANAGE-2.4
OWASP LLM Top 10: LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

Exploitation Scenario

Attacker creates a Typebot instance embedding malicious JavaScript in a custom HTML/code block. Attacker shares a preview link via Slack, email, or GitHub targeting Typebot administrators or developers. Victim clicks 'Run' to preview the bot — no account linkage or elevated permissions required. JavaScript executes in the victim's browser, calls `/api/trpc/credentials.getCredentials` which returns all stored credentials in plaintext without verifying ownership. OpenAI key, Google OAuth token, and SMTP password are immediately POSTed to an attacker-controlled webhook. Attacker begins using stolen OpenAI key within minutes — victim's quota drains, attacker gains access to LLM endpoints and any data flowing through the victim's AI automation pipelines.

Weaknesses (CWE)

CWE-522 Insufficiently Protected Credentials Primary CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-284 Improper Access Control CWE-311 Missing Encryption of Sensitive Data CWE-522 Insufficiently Protected Credentials CWE-639 Authorization Bypass Through User-Controlled Key CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862 Missing Authorization

CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

  • [Architecture and Design] Use an appropriate security mechanism to protect the credentials.
  • [Architecture and Design] Make appropriate use of cryptography to protect the credentials.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

Timeline

Published
January 22, 2026
Last Modified
January 30, 2026
First Seen
January 22, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed