CVE-2025-61136
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axewater | sharewarez | 2.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61136 is a Host Header Injection vulnerability in the password reset component of axewater sharewarez v2.4.3. It occurs because the application uses Flask's url_for(_external=True) function to generate password reset links without a fixed SERVER_NAME, causing the reset URLs to be based on the HTTP Host header. An attacker can manipulate this Host header to craft password reset links that point to an attacker-controlled domain. When a victim requests a password reset, the reset email contains a link with a token that points to the attacker's domain. If the victim clicks this link, the attacker can intercept the reset token and use it to take over the victim's account by resetting their password. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to account takeover. An attacker can trick the system into sending password reset links that point to a domain they control, allowing them to steal password reset tokens. With these tokens, the attacker can reset the victim's password and gain unauthorized access to their account. This compromises user accounts and can lead to loss of sensitive information or unauthorized actions performed under the victim's identity. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring password reset requests and inspecting the HTTP Host header for manipulation. Tools like Burp Suite can be used to intercept and modify HTTP requests to test if the Host header is used to generate password reset links. Specifically, you can capture a password reset request and modify the Host header to an attacker-controlled domain, then observe if the reset email contains a link pointing to that domain. Commands depend on your interception tool, but with curl you might simulate a request like: curl -H "Host: evil-user.net" -d "username=victim" https://target-website.com/password-reset to see if the reset link is affected. Additionally, monitoring outgoing emails for reset links pointing to unexpected domains can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include configuring the Flask application to set a fixed SERVER_NAME so that url_for(_external=True) generates reset links with a trusted domain rather than relying on the incoming Host header. This prevents attackers from manipulating the Host header to poison password reset links. Additionally, validate and sanitize the Host header or avoid using it directly when generating URLs. Monitoring and alerting on unusual password reset requests and suspicious reset link domains can also help detect exploitation attempts. [1, 3]