Typebot Server-Side Request Forgery Vulnerability Allowing AWS Metadata Access and EKS Compromise

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Typebot versions prior to 3.13.1. This vulnerability resides in the webhook block functionality, allowing authenticated users to make arbitrary HTTP requests from the server. Exploitation of this vulnerability enables access to the AWS Instance Metadata Service (IMDS), where attackers can bypass IMDSv2 protection through custom header injection. This exploitation allows for the extraction of temporary AWS IAM credentials for the EKS node role, leading to a complete compromise of the Kubernetes cluster and associated AWS infrastructure.

Impact

Exploitation of this vulnerability allows for a complete compromise of the AWS infrastructure, with extracted IAM credentials providing full access to the EKS cluster and all associated AWS resources. This includes access to sensitive data and services such as Amazon RDS, Amazon S3, AWS Secrets Manager, and CloudWatch Logs. Additionally, there is a significant business impact, including potential financial loss, regulatory penalties, legal liability, reputational damage, and service disruption.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the Typebot editor and add a Webhook block. After configuring the webhook to send a PUT request to the AWS metadata endpoint with a custom header to obtain an IMDSv2 token, this token can be used to access IAM role credentials, which are then extracted and can be used to compromise the EKS cluster.

Remediation

Users are advised to update Typebot to version 3.13.1 or later. Additionally, it is recommended to restrict outbound access from Typebot instances to AWS metadata and private IP ranges, disable the webhook block test functionality for untrusted users, and implement validation and proxy measures for outgoing requests.