Overview
CVE-2025-64706 details a critical Insecure Direct Object Reference (IDOR) vulnerability found in Typebot, an open-source chatbot builder. This flaw allows an authenticated attacker to potentially delete and retrieve the API tokens of other users within the system without proper authorization. The vulnerability affects Typebot versions 3.9.0 up to, but excluding, version 3.13.0.
Technical Details
The IDOR vulnerability resides in the API token management endpoint of Typebot. Due to the lack of proper authorization checks, an authenticated attacker can manipulate API requests by altering the target user ID and token ID to access and delete tokens belonging to other users. Specifically, the attacker only needs to know the user ID and the target API token’s ID to exploit the vulnerability. No additional privileges or authentication is required beyond a valid user account.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 5.0 (MEDIUM). This score reflects the potential impact of the vulnerability, considering factors such as the ease of exploitation and the potential for data compromise.
Possible Impact
Successful exploitation of CVE-2025-64706 can have significant consequences:
- Unauthorized Access: Attackers can gain unauthorized access to resources protected by the compromised API tokens.
- Data Breach: Sensitive data accessible through the API tokens may be exposed.
- Account Takeover: In certain scenarios, compromised API tokens could facilitate account takeover.
- Denial of Service: Deleting valid API tokens can disrupt legitimate users’ access to Typebot functionalities.
Mitigation
The vulnerability has been addressed in Typebot version 3.13.0. Users of Typebot are strongly advised to upgrade to version 3.13.0 or later to mitigate the risk associated with CVE-2025-64706. Prior to upgrading, consider implementing temporary workarounds if possible, such as limiting API token creation permissions or closely monitoring API token usage.
