CVE-2025-61543
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-10-16

Assigner: MITRE

Description
A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER['HTTP_HOST']` directly to construct password reset links sent via email. An attacker can manipulate the Host header to send malicious reset links, enabling phishing attacks or account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61543
EUVD
EUVD-2025-34765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
craftmycms craftmycms 4.0.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Host Header Injection in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses the HTTP Host header directly to create password reset links sent via email. An attacker can manipulate this Host header to craft malicious reset links, which can be used for phishing attacks or to take over user accounts.

Impact Analysis

The vulnerability can allow attackers to send malicious password reset links to users, potentially leading to phishing attacks or unauthorized account takeover, compromising user accounts and system security.

Mitigation Strategies

To mitigate this vulnerability, avoid using the HTTP Host header directly when constructing password reset links. Instead, use a fixed, trusted hostname or validate and sanitize the Host header before use. Additionally, consider implementing strict validation on the Host header or configuring the application to use a predefined base URL for password reset links to prevent Host Header Injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart