CVE-2025-61136
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-10-27

Assigner: MITRE

Description
A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61136
EUVD
EUVD-2025-35695
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axewater sharewarez 2.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61136 is a Host Header Injection vulnerability in the password reset component of axewater sharewarez v2.4.3. It occurs because the application uses Flask's url_for(_external=True) function to generate password reset links without a fixed SERVER_NAME, causing the reset URLs to be based on the HTTP Host header. An attacker can manipulate this Host header to craft password reset links that point to an attacker-controlled domain. When a victim requests a password reset, the reset email contains a link with a token that points to the attacker's domain. If the victim clicks this link, the attacker can intercept the reset token and use it to take over the victim's account by resetting their password. [1, 3]

Impact Analysis

This vulnerability can lead to account takeover. An attacker can trick the system into sending password reset links that point to a domain they control, allowing them to steal password reset tokens. With these tokens, the attacker can reset the victim's password and gain unauthorized access to their account. This compromises user accounts and can lead to loss of sensitive information or unauthorized actions performed under the victim's identity. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring password reset requests and inspecting the HTTP Host header for manipulation. Tools like Burp Suite can be used to intercept and modify HTTP requests to test if the Host header is used to generate password reset links. Specifically, you can capture a password reset request and modify the Host header to an attacker-controlled domain, then observe if the reset email contains a link pointing to that domain. Commands depend on your interception tool, but with curl you might simulate a request like: curl -H "Host: evil-user.net" -d "username=victim" https://target-website.com/password-reset to see if the reset link is affected. Additionally, monitoring outgoing emails for reset links pointing to unexpected domains can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include configuring the Flask application to set a fixed SERVER_NAME so that url_for(_external=True) generates reset links with a trusted domain rather than relying on the incoming Host header. This prevents attackers from manipulating the Host header to poison password reset links. Additionally, validate and sanitize the Host header or avoid using it directly when generating URLs. Monitoring and alerting on unusual password reset requests and suspicious reset link domains can also help detect exploitation attempts. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart