TypeBot Server-Side Request Forgery Vulnerability in Webhook HTTP Request Blocks

A server-side request forgery (SSRF) vulnerability has been identified in TypeBot versions prior to 3.16.0. The issue arises because the SSRF protection for Webhook and HTTP Request blocks only validates the URL string, blocking certain hostname literals and IP formats, but does not resolve DNS before allowing requests. This oversight enables hostnames that resolve to loopback, cloud metadata, or private network IPs to bypass validation and be fetched by the backend HTTP client. As a result, sensitive data could be exfiltrated or internal services could be accessed inappropriately.

Impact

Exploitation of this vulnerability allows access to loopback services, private network targets, and cloud metadata endpoints, depending on the resolved hostname. Additionally, the response from these requests is logged and could be exfiltrated through TypeBot's execution logs.

Reproduction

To reproduce this vulnerability, map a benign hostname to loopback in the hosts file. Then, create a Webhook block in TypeBot that points to this hostname, which will resolve to 127.0.0.1. When the Webhook is triggered, the request will be allowed through the SSRF validation and fetched by the backend HTTP client, accessing the loopback service.

Remediation

Users can update to TypeBot version 3.16.0 or later, where this vulnerability has been fixed.