CVE-2025-27913 Overview
CVE-2025-27913 is a Host Header Injection vulnerability affecting Passbolt API versions before 5. When the server is misconfigured—specifically due to an incorrect installation process and disregarding Health Check results—the application can send email messages with a domain name taken from an attacker-controlled HTTP Host header. This weakness (CWE-348: Use of Less Trusted Source) allows attackers to potentially manipulate email communications by injecting malicious domain names into outbound messages.
Critical Impact
Misconfigured Passbolt API installations may allow attackers to inject attacker-controlled domain names into email communications, potentially enabling phishing attacks or credential theft through manipulated password reset links.
Affected Products
- Passbolt API versions before 5
- Self-hosted Passbolt installations with incorrect configuration
- Deployments that disregarded Health Check warnings
Discovery Timeline
- 2025-03-10 - CVE-2025-27913 published to NVD
- 2025-06-19 - Last updated in NVD database
Technical Details for CVE-2025-27913
Vulnerability Analysis
This vulnerability falls under CWE-348 (Use of Less Trusted Source), which occurs when an application trusts user-controllable input for security-critical decisions. In the case of Passbolt API, the application improperly trusts the HTTP Host header value when constructing email messages, rather than using a configured trusted domain value.
The vulnerability requires a specific misconfiguration scenario to be exploitable: administrators must have deviated from the proper installation process and ignored Health Check warnings that would have flagged the vulnerable configuration. While this limits the attack surface, organizations that have misconfigured deployments are at risk of having their email communications manipulated.
The attack requires network access and user interaction, as victims must receive and act upon the malicious emails containing attacker-controlled domain names.
Root Cause
The root cause stems from the Passbolt API's email generation logic using the HTTP Host header as a trusted source for domain name information when composing outbound emails. In properly configured installations, the Health Check feature would detect and warn administrators about this misconfiguration. However, when installation procedures are not followed correctly and Health Check warnings are disregarded, the vulnerable configuration persists.
This design flaw allows the application to accept user-supplied Host header values without proper validation, enabling attackers to inject arbitrary domain names into email communications sent by the system.
Attack Vector
The attack leverages the network-accessible nature of the Passbolt API. An attacker can craft HTTP requests with a malicious Host header value targeting a misconfigured Passbolt instance. When the application generates emails (such as password reset notifications or account invitations), it incorporates the attacker-controlled domain from the Host header.
The attack flow typically involves:
- Attacker identifies a misconfigured Passbolt API instance
- Attacker sends requests with a crafted Host header pointing to a malicious domain
- Passbolt generates emails containing links to the attacker-controlled domain
- Recipients receive seemingly legitimate emails with malicious links
- Users clicking these links may have their credentials harvested or be redirected to phishing pages
The vulnerability requires user interaction, as victims must receive and engage with the manipulated emails for the attack to succeed.
Detection Methods for CVE-2025-27913
Indicators of Compromise
- Email messages from Passbolt containing unexpected or unfamiliar domain names in links
- HTTP request logs showing unusual or external Host header values targeting the Passbolt API
- User reports of password reset emails with suspicious URLs
- Discrepancies between the configured Passbolt domain and domains appearing in outbound emails
Detection Strategies
- Monitor HTTP access logs for requests with Host header values that do not match the legitimate Passbolt domain
- Implement email gateway rules to flag outbound Passbolt emails containing links to unauthorized domains
- Review Passbolt Health Check results regularly to identify configuration warnings
- Deploy web application firewalls (WAF) with Host header validation rules
Monitoring Recommendations
- Enable detailed logging on the Passbolt API server to capture all incoming Host headers
- Configure SIEM alerts for anomalous Host header patterns in requests to Passbolt endpoints
- Implement email security solutions that inspect URLs in outbound messages for domain anomalies
- Establish baseline monitoring of legitimate Passbolt email patterns to detect deviations
How to Mitigate CVE-2025-27913
Immediate Actions Required
- Upgrade Passbolt API to version 5 or later immediately
- Run the Passbolt Health Check utility and address all configuration warnings
- Review and correct any deviations from the official installation documentation
- Configure web server or reverse proxy to validate and restrict Host header values
- Audit email logs for any evidence of prior exploitation
Patch Information
Passbolt has addressed this vulnerability in Passbolt API version 5. Organizations running earlier versions should upgrade to the latest release to remediate this issue. The vendor has published detailed information about this incident at their security incident report page.
After upgrading, administrators should:
- Re-run the Health Check to confirm proper configuration
- Verify that the application uses a hardcoded or properly configured domain for email generation
- Test email functionality to confirm links contain the correct domain
Workarounds
- Configure the web server or reverse proxy to validate incoming Host headers against a whitelist of allowed domains
- Implement server-level restrictions to reject requests with unexpected Host header values
- Use a properly configured reverse proxy (such as Nginx or Apache) that overwrites the Host header with the legitimate domain
- Enable strict virtual host configurations to prevent Host header manipulation
# Nginx configuration example for Host header validation
server {
listen 443 ssl;
server_name passbolt.example.com;
# Reject requests with invalid Host headers
if ($host !~* ^(passbolt\.example\.com)$) {
return 444;
}
# Additional security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
