CVE-2025-52560
BaseFortify
Publication date: 2025-06-24
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.46 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Kanboard occurs because the application generates password reset email links using the unvalidated Host header when the application_url configuration is not set. An attacker can manipulate the Host header to craft a malicious password reset link pointing to an attacker-controlled domain. If a victim clicks this link, the password reset token can be leaked to the attacker, allowing account takeover. The issue arises from using the SERVER_NAME server variable, derived from the client-controllable Host header, for URL generation. This vulnerability has been fixed by removing reliance on SERVER_NAME and requiring explicit configuration of application_url. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to account takeover, including administrator accounts, by leaking password reset tokens to attacker-controlled domains. An attacker can intercept a password reset request, modify the Host header to their domain, and cause the victim to receive a malicious reset link. When the victim clicks the link, the attacker can use the leaked token to reset the victim's password and gain unauthorized access. This compromises confidentiality and integrity of user accounts. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring password reset requests and inspecting the Host header in HTTP requests to the Kanboard application. Using a proxy tool like Burp Suite or command-line tools such as curl, you can capture and analyze the Host header sent during password reset requests. For example, you can use curl to simulate a password reset request and check if the Host header is reflected in the reset email link. Commands like `curl -v -H "Host: attacker.com" http://your-kanboard-instance/password-reset` can help test if the Host header is used unvalidated. Additionally, reviewing email logs for password reset links containing unexpected domains can indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, explicitly set the `application_url` configuration in Kanboard to a trusted domain. This prevents the application from using the unvalidated Host header when generating password reset URLs. Upgrading Kanboard to version 1.2.46 or later, where the vulnerability is patched by removing reliance on the `SERVER_NAME` variable for URL generation, is also essential. These steps ensure that password reset links are generated with a safe, fixed base URL, eliminating the risk of Host header injection. [2, 1]