CVE-2025-43930
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-472 | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43930 is a Host Header Injection vulnerability in Hashview version 0.8.1. The Flask application does not have the SERVER_NAME configured, so it uses the unvalidated Host HTTP header when generating password reset links. An attacker can send a password reset request with a malicious Host header, causing the application to generate a reset URL pointing to an attacker-controlled domain. When the victim clicks the link in the password reset email, the reset token is exposed to the attacker, allowing them to take over the victim's account by resetting the password without authorization. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover. An attacker can intercept password reset tokens by manipulating the Host header, then use those tokens to reset victims' passwords and gain unauthorized access to their accounts. This compromises user accounts, potentially exposing sensitive data and allowing malicious actions under the victim's identity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the password reset feature for Host Header Injection. You can send a password reset request with a manipulated Host HTTP header and observe if the generated reset link in the email or response contains the attacker-controlled domain instead of the legitimate one. For example, using curl: curl -H "Host: attacker.com" -X POST https://your-hashview-instance/reset-password -d "[email protected]". If the reset link points to attacker.com, the vulnerability exists. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include configuring the Flask application to explicitly set the SERVER_NAME parameter to the legitimate domain, validating the Host header to prevent tampering, and removing the _external=True parameter from url_for calls if external links are not necessary. These changes prevent the application from using untrusted Host headers when generating password reset URLs, thereby blocking the attack vector. [1]