CVE-2025-13434
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-20

Last updated on: 2025-12-11

Assigner: VulDB

Description
A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-20
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-11-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13434
EUVD
EUVD-2025-198257
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jameschz hush 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in jameschz Hush Framework 2.0, specifically in the HTTP Host Header Handler component within the file Hush\hush-lib\hush\Util.php. It involves improper neutralization of HTTP headers related to scripting syntax caused by manipulation of the $_SERVER['HOST'] argument. This means that an attacker can manipulate the HTTP Host header to inject malicious scripting code that is not properly sanitized, potentially affecting web browser components that process raw headers, such as Flash. The vulnerability is remotely exploitable without authentication, and a public proof-of-concept exploit is available. [1]

Impact Analysis

The vulnerability can impact you by allowing attackers to inject malicious scripting code through the HTTP Host header, which can be processed by vulnerable web browser components. This can compromise the integrity of the system by enabling script-based attacks, potentially leading to unauthorized actions or manipulation of the affected application. Since exploitation is easy and can be done remotely without authentication, it poses a moderate security risk. [1]

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable file path related to jameschz Hush Framework 2.0, specifically the file `Hush\hush-lib\hush\Util.php`. Attackers use Google hacking techniques to identify vulnerable targets by searching for this file path. On your system, you can check for the existence of this file to confirm if the vulnerable component is present. Since the vulnerability involves manipulation of the $_SERVER['HOST'] argument in HTTP headers, monitoring HTTP Host headers for suspicious or malformed values might help detect exploitation attempts. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

No official countermeasures or mitigations are currently known due to the vendor's lack of response. The recommended immediate step is to replace the affected component (jameschz Hush Framework 2.0) with an alternative product that is not vulnerable. Additionally, monitoring for exploitation attempts and restricting access to the vulnerable service may help reduce risk until a fix or patch is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart