What happened
TypeBot versions prior to 3.17.2 contain a TOCTOU (time-of-check to time-of-use) gap in SSRF validation. The validator checks the hostname once, but the actual HTTP request performs a fresh DNS lookup, enabling DNS rebinding attacks to force connections to private/metadata addresses.
Why it matters
TypeBot's HTTP request and script fetch blocks are used in AI chatbots for server-side operations. An SSRF vulnerability allows attackers to reach internal infrastructure (metadata servers, internal APIs, private services) that the chatbot can access.
Attack vector
TypeBot's SSRF validation resolves a hostname once and approves it, but the subsequent HTTP request performs a fresh DNS resolution. Attacker supplies a URL that initially resolves to a public IP but later resolves to a private/metadata address via DNS rebinding, bypassing SSRF protection.
Affected systems
TypeBot chatbot builder versions prior to 3.17.2
Mitigation
Update TypeBot to version 3.17.2 or later