Home > Vulnerability Database > CVE-2025-64709

Mend.io Vulnerability Database

CVE-2025-64709

Good to know:

Date: November 13, 2025

Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue.

Severity Score

9.6

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64709

Url: https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr

Url: https://www.mend.io/vulnerability-database/CVE-2025-64709

Severity Score

9.6

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version https://github.com/baptisteArno/typebot.io.git - v3.13.1

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64709

Good to know:

Date: November 13, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?