CVE-2025-64706
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-11-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typebot | typebot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the API token management endpoint of Typebot versions 3.9.0 up to but excluding 3.13.0. It allows an authenticated attacker to delete any user's API token and retrieve its value by knowing the target user's ID and token ID, without proper authorization checks.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can delete and retrieve API tokens belonging to other users, potentially leading to unauthorized access to user accounts or services that rely on those tokens, compromising confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Typebot to version 3.13.0 or later, as this version fixes the Insecure Direct Object Reference (IDOR) vulnerability in the API token management endpoint.