Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure

5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue.

Basic Information

ID CVE-2025-64706

Source GitHub_M

Published Nov 13, 2025 at 17:49

Modified Nov 13, 2025 at 18:22

Affected Product

Vendor baptisteArno

Product typebot.io

Version >= 3.9.0, < 3.13.0

Affected Versions baptisteArno typebot.io >= 3.9.0, < 3.13.0

CWE Classification

CWE-639 CWE-284

References

github.com /baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp

{
    "lastseen": "",
    "description": "Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing the target user's ID and token ID, without requiring authorization checks. Version 3.13.0 fixes the issue.",
    "published": "2025-11-13T17:49:29.802Z",
    "modified": "2025-11-13T18:22:36.897Z",
    "type": "cve",
    "title": "Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure",
    "source": "GitHub_M",
    "references": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-grx8-g27p-8hpp",
    "id": "CVE-2025-64706",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "baptisteArno typebot.io >= 3.9.0, < 3.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "typebot.io",
    "version": ">= 3.9.0, < 3.13.0",
    "vendor": "baptisteArno",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure_CVE-2025-64706