TypeBot SSRF Vulnerability via Open Redirect Bypass in HTTP Request and Code Blocks

A server-side request forgery (SSRF) vulnerability has been identified in TypeBot, a chatbot builder tool, in versions through 3.15.2. The issue arises in the HTTP Request block and Code block, where the initial request URL is validated to block private IPs and cloud metadata hostnames. However, the HTTP clients used (ky and fetch) follow 302 redirects without re-validating the destination, allowing an authenticated user to redirect requests to internal IPs. This could enable access to internal services, AWS metadata, and extraction of cloud IAM credentials or probing of internal APIs not accessible from the internet.

Impact

Exploitation allows authenticated TypeBot users to access internal services, AWS metadata, and private subnets, with potential extraction of cloud IAM credentials or probing of inaccessible internal APIs.

Reproduction

To reproduce this vulnerability, start TypeBot locally using Docker. Create a bot with an HTTP Request block that points to a redirect server, such as httpbin.org, which will redirect to an internal IP. Execute the bot via the preview feature, and the internal service response will be logged, demonstrating successful exploitation.

Remediation

Users can update to TypeBot version 3.16.0, where this vulnerability has been fixed.