CVE-2024-32642 Overview
CVE-2024-32642 is a host header poisoning vulnerability in Masa CMS, an open source Enterprise Content Management platform. The flaw allows an attacker to manipulate the HTTP Host header during the password reset workflow, causing the application to generate password reset emails containing attacker-controlled links. When a victim clicks the link, the reset token is sent to an attacker-controlled host, enabling full account takeover. The issue is classified under [CWE-346: Origin Validation Error]. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are affected.
Critical Impact
Attackers can hijack arbitrary accounts, including administrative accounts, by triggering a password reset and capturing the reset token through a poisoned host header.
Affected Products
- Masa CMS versions prior to 7.2.8 (7.2.x branch)
- Masa CMS versions prior to 7.3.13 (7.3.x branch)
- Masa CMS versions prior to 7.4.6 (7.4.x branch)
Discovery Timeline
- 2025-12-03 - CVE-2024-32642 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2024-32642
Vulnerability Analysis
Masa CMS generates password reset URLs by reading the inbound HTTP Host header and embedding it directly into the email body sent to the requesting user. The application does not validate the Host header against an allow-list of trusted domains. An attacker who submits a password reset request for a target account while supplying a malicious Host header causes the resulting email to contain a link pointing to an attacker-controlled domain. The reset token remains valid for the legitimate Masa CMS instance, so any interaction with the poisoned link discloses the token to the attacker.
The vulnerability requires user interaction because the victim must click the link in the password reset email. However, attackers can also exploit secondary channels such as web prefetchers, link previewers, or email security scanners that automatically dereference URLs, which may leak the token without explicit victim action.
Root Cause
The root cause is reliance on the client-supplied Host header for constructing absolute URLs in outbound email. Origin validation is absent, so the request context is trusted implicitly. This pattern violates secure URL construction guidance, which requires server-side configuration of the canonical base URL.
Attack Vector
The attack is performed remotely over the network without authentication. An attacker submits a forged HTTP request to the Masa CMS password reset endpoint with a Host header pointing to a domain they control. Masa CMS issues a reset email containing a link such as https://attacker.example/resetPassword?token=.... When the victim follows the link, the attacker captures the token and submits it to the legitimate Masa CMS host to complete the password change.
No verified exploit code is publicly available. See the GitHub Security Advisory GHSA-qjm6-c8hx-ffh8 for vendor-provided technical details.
Detection Methods for CVE-2024-32642
Indicators of Compromise
- Password reset emails generated by Masa CMS containing URLs whose hostnames do not match the canonical application domain.
- Web server access logs showing requests to /resetPassword or related endpoints with Host headers that differ from the expected production hostname.
- Outbound DNS queries or HTTP requests from mail-handling infrastructure to unknown external domains referenced in reset emails.
Detection Strategies
- Inspect web server and reverse proxy logs for inbound HTTP requests carrying unexpected Host header values, particularly against authentication and password reset endpoints.
- Correlate password reset request events with subsequent successful authentication from new IP addresses or geolocations within short time windows.
- Review outbound mail content for password reset URLs whose domains diverge from the configured canonical Masa CMS URL.
Monitoring Recommendations
- Configure the upstream load balancer or reverse proxy to log and alert on Host header anomalies before requests reach Masa CMS.
- Enable mail content inspection rules that flag password reset emails containing non-canonical hostnames.
- Monitor administrative account password change events and require step-up verification for sensitive accounts.
How to Mitigate CVE-2024-32642
Immediate Actions Required
- Upgrade Masa CMS to 7.2.8, 7.3.13, or 7.4.6 depending on the deployed branch.
- Invalidate any pending password reset tokens issued before the upgrade.
- Audit recent administrative password changes and reset emails for evidence of exploitation.
Patch Information
The vendor addressed the issue in commit 7541b9c99fb9e32d1de6f2658750525cec1d8960. The fix replaces reliance on the Host header with a server-side configured base URL when constructing password reset links. Full details are available in the Masa CMS Security Advisory GHSA-qjm6-c8hx-ffh8.
Workarounds
- Configure the reverse proxy or web application firewall to enforce a strict Host header allow-list matching the canonical application domain.
- Reject or rewrite inbound requests with Host headers that do not match expected values before they reach the Masa CMS application.
- Disable or restrict the password reset endpoint until patching is complete if the upgrade cannot be applied immediately.
# Example NGINX configuration to enforce a strict Host header allow-list
server {
listen 443 ssl;
server_name cms.example.com;
if ($host !~* ^(cms\.example\.com)$) {
return 444;
}
location / {
proxy_set_header Host cms.example.com;
proxy_pass http://masacms_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
