CVE-2025-43933
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-472 | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Host Header Injection issue in the Flask-based project 'fblog'. Because the SERVER_NAME is not configured, the password reset URL is generated using the Host HTTP header from incoming requests, which can be manipulated by an attacker. By sending a request with a malicious Host header, the attacker can cause the password reset link sent to users to point to an attacker-controlled domain. When a victim clicks this link, the reset token is exposed to the attacker, allowing remote account takeover. [1]
How can this vulnerability impact me? :
This vulnerability can lead to account takeover. An attacker can trick users into clicking a malicious password reset link that exposes their reset token, allowing the attacker to reset the victim's password and gain unauthorized access to their account. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTTP requests to the password reset feature and checking if the password reset URLs in emails or responses are generated based on the Host HTTP header without validation. You can capture HTTP traffic and look for password reset links containing unexpected or attacker-controlled domains. For example, using tools like curl or wget with custom Host headers to test if the reset link changes accordingly. A sample command to test might be: curl -H "Host: attacker.com" https://your-fblog-instance/reset-password-request and then check the received email or response for the reset link domain. Additionally, reviewing the Flask app configuration to see if SERVER_NAME is set can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include explicitly setting the SERVER_NAME configuration in the Flask application to a trusted domain, validating or sanitizing the Host HTTP header to prevent injection of attacker-controlled values, and removing the _external=True parameter from the url_for function if generating external URLs is not necessary. These steps prevent the password reset URLs from being generated based on untrusted Host headers, thereby blocking the attack vector. [1]