PT-2026-42818 · Typebot · Typebot
Published
2026-05-22
·
Updated
2026-05-22
·
CVE-2026-39965
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
TypeBot versions prior to 3.16.0
Description
An authenticated user can perform a Server-Side Request Forgery (SSRF) by bypassing open redirect protections. The HTTP Request block and Code block use the
validateHttpReqUrl() function to block private IPs and cloud metadata hostnames during the initial request. However, the HTTP clients ky and fetch follow 302 redirects without re-validating the destination. This allows an attacker to redirect the server to internal IPs, such as AWS metadata (169.254.169.254), private subnets, and container-internal services, potentially leading to the extraction of cloud IAM credentials or the probing of internal APIs.Recommendations
Update to version 3.16.0.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typebot