Typebot Server-Side Request Forgery Vulnerability in Preview Chat Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Typebot versions through 3.15.2. The issue arises in the preview chat endpoint, where unauthenticated users can send requests that bypass security validations. By including a custom typebot definition with server-side code blocks, attackers can exploit the fetch function within an isolated-vm sandbox. This exploitation can lead to unauthorized access to internal network resources, theft of cloud credentials, and data exfiltration for self-hosted Typebot deployments and those on the Typebot hosted service.

Impact

Exploitation of this vulnerability allows for unauthorized SSRF, bypassing all previously established SSRF mitigations. It enables access to cloud metadata endpoints, potentially leading to the theft of sensitive cloud credentials. The vulnerability also allows probing and interaction with internal network services, facilitating data exfiltration through chat responses.

Reproduction

To reproduce this vulnerability, send a POST request to the Typebot preview chat endpoint with a crafted typebot definition. The typebot should include a 'Set variable' block that uses the fetch function to request data from internal endpoints, such as the AWS metadata service. The fetched data can then be accessed through chat messages.

Remediation

Users should update to Typebot version 3.16.0, which addresses the vulnerability by requiring authentication for the preview chat endpoint and restoring the necessary SSRF validations.