CVE-2025-62428
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drawing-captcha | drawing-captcha-app | 1.2.5-alpha-patch |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Host Header Injection in the /register and /confirm-email endpoints of the Drawing-Captcha APP. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links that redirect users to attacker-controlled domains.
How can this vulnerability impact me? :
The vulnerability can impact users by allowing attackers to send malicious email confirmation links that redirect users to attacker-controlled domains, potentially leading to phishing attacks or unauthorized access during account registration or verification.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Drawing-Captcha APP to version 1.2.5-alpha-patch or later, where the Host Header Injection vulnerability has been fixed.