CVE-2025-27913: Passbolt API Information Disclosure Flaw

CVE-2025-27913 Overview

CVE-2025-27913 is a Host Header Injection vulnerability affecting Passbolt API versions before 5. When the server is misconfigured—specifically due to an incorrect installation process and disregarding Health Check results—the application can send email messages with a domain name taken from an attacker-controlled HTTP Host header. This weakness (CWE-348: Use of Less Trusted Source) allows attackers to potentially manipulate email communications by injecting malicious domain names into outbound messages.

Critical Impact
Misconfigured Passbolt API installations may allow attackers to inject attacker-controlled domain names into email communications, potentially enabling phishing attacks or credential theft through manipulated password reset links.

Affected Products

Passbolt API versions before 5
Self-hosted Passbolt installations with incorrect configuration
Deployments that disregarded Health Check warnings

Discovery Timeline

2025-03-10 - CVE-2025-27913 published to NVD
2025-06-19 - Last updated in NVD database

Technical Details for CVE-2025-27913

Vulnerability Analysis

This vulnerability falls under CWE-348 (Use of Less Trusted Source), which occurs when an application trusts user-controllable input for security-critical decisions. In the case of Passbolt API, the application improperly trusts the HTTP Host header value when constructing email messages, rather than using a configured trusted domain value.

The vulnerability requires a specific misconfiguration scenario to be exploitable: administrators must have deviated from the proper installation process and ignored Health Check warnings that would have flagged the vulnerable configuration. While this limits the attack surface, organizations that have misconfigured deployments are at risk of having their email communications manipulated.

The attack requires network access and user interaction, as victims must receive and act upon the malicious emails containing attacker-controlled domain names.

Root Cause

The root cause stems from the Passbolt API's email generation logic using the HTTP Host header as a trusted source for domain name information when composing outbound emails. In properly configured installations, the Health Check feature would detect and warn administrators about this misconfiguration. However, when installation procedures are not followed correctly and Health Check warnings are disregarded, the vulnerable configuration persists.

This design flaw allows the application to accept user-supplied Host header values without proper validation, enabling attackers to inject arbitrary domain names into email communications sent by the system.

Attack Vector

The attack leverages the network-accessible nature of the Passbolt API. An attacker can craft HTTP requests with a malicious Host header value targeting a misconfigured Passbolt instance. When the application generates emails (such as password reset notifications or account invitations), it incorporates the attacker-controlled domain from the Host header.

The attack flow typically involves:

Attacker identifies a misconfigured Passbolt API instance
Attacker sends requests with a crafted Host header pointing to a malicious domain
Passbolt generates emails containing links to the attacker-controlled domain
Recipients receive seemingly legitimate emails with malicious links
Users clicking these links may have their credentials harvested or be redirected to phishing pages

The vulnerability requires user interaction, as victims must receive and engage with the manipulated emails for the attack to succeed.

Detection Methods for CVE-2025-27913

Indicators of Compromise

Email messages from Passbolt containing unexpected or unfamiliar domain names in links
HTTP request logs showing unusual or external Host header values targeting the Passbolt API
User reports of password reset emails with suspicious URLs
Discrepancies between the configured Passbolt domain and domains appearing in outbound emails

Detection Strategies

Monitor HTTP access logs for requests with Host header values that do not match the legitimate Passbolt domain
Implement email gateway rules to flag outbound Passbolt emails containing links to unauthorized domains
Review Passbolt Health Check results regularly to identify configuration warnings
Deploy web application firewalls (WAF) with Host header validation rules

Monitoring Recommendations

Enable detailed logging on the Passbolt API server to capture all incoming Host headers
Configure SIEM alerts for anomalous Host header patterns in requests to Passbolt endpoints
Implement email security solutions that inspect URLs in outbound messages for domain anomalies
Establish baseline monitoring of legitimate Passbolt email patterns to detect deviations

How to Mitigate CVE-2025-27913

Immediate Actions Required

Upgrade Passbolt API to version 5 or later immediately
Run the Passbolt Health Check utility and address all configuration warnings
Review and correct any deviations from the official installation documentation
Configure web server or reverse proxy to validate and restrict Host header values
Audit email logs for any evidence of prior exploitation

Patch Information

Passbolt has addressed this vulnerability in Passbolt API version 5. Organizations running earlier versions should upgrade to the latest release to remediate this issue. The vendor has published detailed information about this incident at their security incident report page.

After upgrading, administrators should:

Re-run the Health Check to confirm proper configuration
Verify that the application uses a hardcoded or properly configured domain for email generation
Test email functionality to confirm links contain the correct domain

Workarounds

Configure the web server or reverse proxy to validate incoming Host headers against a whitelist of allowed domains
Implement server-level restrictions to reject requests with unexpected Host header values
Use a properly configured reverse proxy (such as Nginx or Apache) that overwrites the Host header with the legitimate domain
Enable strict virtual host configurations to prevent Host header manipulation

bash

# Nginx configuration example for Host header validation
server {
    listen 443 ssl;
    server_name passbolt.example.com;
    
    # Reject requests with invalid Host headers
    if ($host !~* ^(passbolt\.example\.com)$) {
        return 444;
    }
    
    # Additional security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
}

CVE-2025-27913 Overview

Critical Impact
Misconfigured Passbolt API installations may allow attackers to inject attacker-controlled domain names into email communications, potentially enabling phishing attacks or credential theft through manipulated password reset links.

Affected Products

Passbolt API versions before 5
Self-hosted Passbolt installations with incorrect configuration
Deployments that disregarded Health Check warnings

Discovery Timeline

2025-03-10 - CVE-2025-27913 published to NVD
2025-06-19 - Last updated in NVD database

Technical Details for CVE-2025-27913

Vulnerability Analysis

The attack requires network access and user interaction, as victims must receive and act upon the malicious emails containing attacker-controlled domain names.

Root Cause

Attack Vector

The attack flow typically involves:

Attacker identifies a misconfigured Passbolt API instance
Attacker sends requests with a crafted Host header pointing to a malicious domain
Passbolt generates emails containing links to the attacker-controlled domain
Recipients receive seemingly legitimate emails with malicious links
Users clicking these links may have their credentials harvested or be redirected to phishing pages

The vulnerability requires user interaction, as victims must receive and engage with the manipulated emails for the attack to succeed.

Detection Methods for CVE-2025-27913

Indicators of Compromise

Email messages from Passbolt containing unexpected or unfamiliar domain names in links
HTTP request logs showing unusual or external Host header values targeting the Passbolt API
User reports of password reset emails with suspicious URLs
Discrepancies between the configured Passbolt domain and domains appearing in outbound emails

Detection Strategies

Monitor HTTP access logs for requests with Host header values that do not match the legitimate Passbolt domain
Implement email gateway rules to flag outbound Passbolt emails containing links to unauthorized domains
Review Passbolt Health Check results regularly to identify configuration warnings
Deploy web application firewalls (WAF) with Host header validation rules

Monitoring Recommendations

Enable detailed logging on the Passbolt API server to capture all incoming Host headers
Configure SIEM alerts for anomalous Host header patterns in requests to Passbolt endpoints
Implement email security solutions that inspect URLs in outbound messages for domain anomalies
Establish baseline monitoring of legitimate Passbolt email patterns to detect deviations

How to Mitigate CVE-2025-27913

Immediate Actions Required

Upgrade Passbolt API to version 5 or later immediately
Run the Passbolt Health Check utility and address all configuration warnings
Review and correct any deviations from the official installation documentation
Configure web server or reverse proxy to validate and restrict Host header values
Audit email logs for any evidence of prior exploitation

Patch Information

After upgrading, administrators should:

Re-run the Health Check to confirm proper configuration
Verify that the application uses a hardcoded or properly configured domain for email generation
Test email functionality to confirm links contain the correct domain

Workarounds

Configure the web server or reverse proxy to validate incoming Host headers against a whitelist of allowed domains
Implement server-level restrictions to reject requests with unexpected Host header values
Use a properly configured reverse proxy (such as Nginx or Apache) that overwrites the Host header with the legitimate domain
Enable strict virtual host configurations to prevent Host header manipulation

bash

# Nginx configuration example for Host header validation
server {
    listen 443 ssl;
    server_name passbolt.example.com;
    
    # Reject requests with invalid Host headers
    if ($host !~* ^(passbolt\.example\.com)$) {
        return 444;
    }
    
    # Additional security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
}

CVE-2025-27913: Passbolt API Information Disclosure Flaw

CVE-2025-27913 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-27913

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-27913

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-27913

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2025-27913: Passbolt API Information Disclosure Flaw

CVE-2025-27913 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-27913

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-27913

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-27913

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform