CVE-2025-43931
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Host Header Injection issue in the Flask-Boilerplate project. Because the SERVER_NAME configuration is not set, the application generates password reset links using the untrusted Host HTTP header from incoming requests. An attacker can manipulate this Host header during a password reset request to create a reset link pointing to an attacker-controlled domain. When a victim clicks this malicious link, their password reset token is exposed to the attacker, enabling remote account takeover and token disclosure. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote account takeover by exposing password reset tokens to attackers. An attacker can craft malicious password reset links that, when clicked by a victim, reveal sensitive tokens, allowing the attacker to reset the victim's password and gain unauthorized access to their account. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Flask application sets the SERVER_NAME configuration. Additionally, you can test for Host Header Injection by sending password reset requests with manipulated Host headers and observing if the reset link generated contains the attacker-controlled domain. For example, using curl to send a password reset request with a custom Host header: curl -H "Host: attacker.com" -X POST https://your-flask-app/reset-password. If the reset link in the response or email contains attacker.com, the vulnerability exists. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include setting the SERVER_NAME configuration in your Flask application to a fixed, trusted domain name. Also, validate or sanitize the Host header to prevent injection of untrusted values. Another step is to remove the _external=True parameter from url_for calls if external URLs are not explicitly needed, to avoid generating URLs based on the Host header. [1]