What happened
TypeBot versions prior to 3.17.2 (CVSS 8.2 HIGH, NVD June 18, 2026) contain a Server-Side Request Forgery (SSRF) vulnerability where hostname resolution for SSRF validation is performed once at check time but the actual connection is made separately — a time-of-check to time-of-use (TOCTOU) gap. An attacker can exploit DNS rebinding to pass the initial IP-range check (resolves to a public IP) and then have the second resolution return an internal/private IP, bypassing the SSRF guard to reach internal network services.
Why it matters
SSRF in a chatbot platform allows attackers to use the chatbot server as a pivot to reach internal services (metadata APIs, internal databases, other AI microservices) that are not exposed to the internet. In cloud-hosted TypeBot deployments, this could expose cloud instance metadata endpoints (AWS IMDS, GCP metadata) enabling credential theft.
Attack vector
Attacker supplies a URL to TypeBot that initially resolves to a public IP (passing SSRF validation), then uses DNS rebinding to make the actual connection resolve to an internal/private IP, reaching internal services through the chatbot server.
Affected systems
TypeBot (typebot.io) < 3.17.2
Mitigation
Upgrade to TypeBot 3.17.2. See fix commit: https://github.com/baptisteArno/typebot.io/commit/f56c3c3f771df13a8c11e88f500dfdd78981bed1