CVE-2025-53373
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Host Header injection in the Natours Tour Booking API's password reset functionality. The application constructs the password reset URL using the Host header from the incoming HTTP request, which an attacker can manipulate by injecting their own server domain. When a victim requests a password reset, the reset link sent via email contains the attacker's domain instead of the legitimate one. If the victim clicks this malicious link, the reset token is exposed to the attacker, enabling them to take over the victim's account. [2]
How can this vulnerability impact me? :
This vulnerability can lead to a complete account takeover of any user. By exploiting the Host Header injection, an attacker can trick the victim into clicking a password reset link that sends the reset token to the attackerβs server. This allows the attacker to reset the victim's password and gain unauthorized access to their account with a single click. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the /forgetpassword endpoint and checking for unusual or suspicious Host header values that differ from the legitimate domain. You can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests and filter for the /forgetpassword endpoint. For example, using tcpdump: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host:'` and then manually inspecting Host headers in requests to /forgetpassword. Alternatively, using curl to test the endpoint with a manipulated Host header: `curl -H 'Host: attacker.com' https://your-natours-domain/api/v1/auth/forgetpassword -d '[email protected]'`. Detection involves identifying if the system accepts and processes requests with arbitrary Host headers at this endpoint. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves modifying the application to stop using the user-controlled Host header when constructing password reset URLs. Instead, configure the application to use a fixed, trusted domain name from environment variables. Specifically, update the code to retrieve the host from environment variables based on the environment (development or production) rather than from the incoming request header. For example, use: `const host = process.env.NODE_ENV === 'development' ? process.env.DEVELOPMENT_BASE_URL : process.env.PRODUCTION_BASE_URL;` and then construct the reset URL with this host. This prevents Host header injection attacks by ensuring the reset link domain is controlled and trusted. [1, 2]