PT-2025-46875 · Typebot · Typebot

Published

2025-11-13

Updated

2026-01-30

CVE-2025-64706

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Typebot versions 3.9.0 through 3.12.9

Description Typebot is an open-source chatbot builder. An Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by knowing the target user's ID and token ID, without authorization checks. The vulnerable API endpoint does not properly validate access permissions, allowing unauthorized modification of resources. The user id and token id are directly used to access and manipulate API tokens.

Recommendations Upgrade to Typebot version 3.13.0 or later.

Exploit

Fix

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

CVE-2025-64706

GHSA-GRX8-G27P-8HPP

Affected Products

Typebot

PT-2025-46875 · Typebot · Typebot

CVE-2025-64706

Weakness Enumeration

Related Identifiers

Affected Products

References · 6