AI Threat Alert AI Threat Alert

CVE-2025-65098: typebot: XSS enables session hijacking

HIGH PoC AVAILABLE CISA: TRACK*
Published January 22, 2026
CISO Take

Typebot versions prior to 3.13.2 expose a critical credential theft vector: any user tricked into previewing a malicious chatbot will have their OpenAI API keys, OAuth tokens, and SMTP credentials silently exfiltrated via XSS. Patch to 3.13.2 immediately and rotate all API credentials stored in Typebot instances — assume keys are compromised if any user previewed an untrusted bot. Organizations relying on Typebot-integrated LLM pipelines face unauthorized API usage, billing fraud, and downstream data exposure across connected AI services.

Risk Assessment

High risk for any organization running Typebot for AI workflow automation. Exploitability is elevated: the attack requires only social engineering to convince a victim to click 'Run', no privileges needed, and the BOLA flaw on the credentials endpoint means XSS payload is sufficient to harvest all stored keys in one request. The CVSS 7.4 likely underestimates business impact — stolen OpenAI keys grant full LLM API access at victim's expense, enabling cost harvesting, model abuse, and indirect exposure of data from connected AI workflows.

Affected Systems

Package Ecosystem Vulnerable Range Patched
typebot No patch

Do you use typebot? You're affected.

Severity & Risk

CVSS 3.1
7.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 4% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I None
A None

Recommended Action

1 step

  1. 1) Upgrade Typebot to 3.13.2 immediately — patch is available, no workaround is viable. 2) Rotate ALL credentials stored in Typebot: OpenAI API keys, Google OAuth tokens, SMTP passwords — treat as compromised if any user previewed an untrusted bot. 3) Audit OpenAI API usage logs for anomalous calls in the past 30 days. 4) Check Google Workspace audit logs for unexpected Sheets access. 5) Add Content-Security-Policy headers blocking inline script execution as defense-in-depth. 6) Enforce credential ownership verification on all credential-returning API endpoints (BOLA fix). 7) Migrate to secrets managers (AWS Secrets Manager, HashiCorp Vault) instead of storing plaintext API keys in application databases. 8) Alert on mass credential read events from single sessions in API gateway logs.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Data Leakage API Framework Agent AML.T0011 AML.T0012 AML.T0025 AML.T0034 AML.T0049 AML.T0055 AML.T0083 AML.T0091.000 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - Information security in AI system lifecycle A.9.4 - AI System Security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.2 - Mechanisms to sustain the value of AI systems MANAGE-2.4 - Risk Treatment and Residual Risk
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-65098?

Typebot versions prior to 3.13.2 expose a critical credential theft vector: any user tricked into previewing a malicious chatbot will have their OpenAI API keys, OAuth tokens, and SMTP credentials silently exfiltrated via XSS. Patch to 3.13.2 immediately and rotate all API credentials stored in Typebot instances — assume keys are compromised if any user previewed an untrusted bot. Organizations relying on Typebot-integrated LLM pipelines face unauthorized API usage, billing fraud, and downstream data exposure across connected AI services.

Is CVE-2025-65098 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-65098, increasing the risk of exploitation.

How to fix CVE-2025-65098?

1) Upgrade Typebot to 3.13.2 immediately — patch is available, no workaround is viable. 2) Rotate ALL credentials stored in Typebot: OpenAI API keys, Google OAuth tokens, SMTP passwords — treat as compromised if any user previewed an untrusted bot. 3) Audit OpenAI API usage logs for anomalous calls in the past 30 days. 4) Check Google Workspace audit logs for unexpected Sheets access. 5) Add Content-Security-Policy headers blocking inline script execution as defense-in-depth. 6) Enforce credential ownership verification on all credential-returning API endpoints (BOLA fix). 7) Migrate to secrets managers (AWS Secrets Manager, HashiCorp Vault) instead of storing plaintext API keys in application databases. 8) Alert on mass credential read events from single sessions in API gateway logs.

What systems are affected by CVE-2025-65098?

This vulnerability affects the following AI/ML architecture patterns: chatbot platforms, LLM workflow automation, no-code AI builders, API integration pipelines, agent frameworks.

What is the CVSS score for CVE-2025-65098?

CVE-2025-65098 has a CVSS v3.1 base score of 7.4 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

Exploitation Scenario

Attacker creates a Typebot instance embedding malicious JavaScript in a custom HTML/code block. Attacker shares a preview link via Slack, email, or GitHub targeting Typebot administrators or developers. Victim clicks 'Run' to preview the bot — no account linkage or elevated permissions required. JavaScript executes in the victim's browser, calls `/api/trpc/credentials.getCredentials` which returns all stored credentials in plaintext without verifying ownership. OpenAI key, Google OAuth token, and SMTP password are immediately POSTed to an attacker-controlled webhook. Attacker begins using stolen OpenAI key within minutes — victim's quota drains, attacker gains access to LLM endpoints and any data flowing through the victim's AI automation pipelines.

Weaknesses (CWE)

CWE-522 Primary CWE-79 Primary CWE-200 CWE-284 CWE-311 CWE-522 CWE-639 CWE-79 CWE-862

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

Timeline

Published
January 22, 2026
Last Modified
January 30, 2026
First Seen
January 22, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed