Home > Vulnerability Database > CVE-2025-64706

Mend.io Vulnerability Database

CVE-2025-64706

Good to know:

Date: November 13, 2025

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue.

Severity Score

5.0

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64706

Url: https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp

Url: https://www.mend.io/vulnerability-database/CVE-2025-64706

Severity Score

5.0

Weakness Type (CWE)

Improper Access Control

CWE-284

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

Upgrade Version

Upgrade to version https://github.com/baptisteArno/typebot.io.git - v3.13.0

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64706

Good to know:

Date: November 13, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?