CVE-2025-52560 Overview
CVE-2025-52560 is a Host Header Injection vulnerability affecting Kanboard, an open-source project management software focused on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (which is the default behavior). This flaw enables attackers to craft malicious password reset links that leak sensitive tokens to attacker-controlled domains, potentially leading to complete account takeover.
Critical Impact
Attackers can hijack any user account, including administrator accounts, by manipulating the Host header during password reset requests to exfiltrate reset tokens.
Affected Products
- Kanboard versions prior to 1.2.46
- Kanboard installations with default configuration (where application_url is not explicitly set)
- All users who initiate password resets on vulnerable instances
Discovery Timeline
- June 24, 2025 - CVE-2025-52560 published to NVD
- January 13, 2026 - Last updated in NVD database
Technical Details for CVE-2025-52560
Vulnerability Analysis
This vulnerability falls under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). The core issue lies in how Kanboard constructs the base URL for password reset emails. When the application_url configuration option is not set, which is the default state, the application falls back to using server-provided values that can be influenced by the HTTP Host header sent by the client.
An attacker can exploit this by initiating a password reset request for a target user while injecting a malicious Host header pointing to an attacker-controlled domain. The generated password reset email will contain a link that includes the password reset token but directs the user to the attacker's server. When the victim clicks this link, their reset token is transmitted to the attacker, who can then use it to reset the victim's password and take over their account.
Root Cause
The root cause is improper trust in client-supplied input, specifically the HTTP Host header. The vulnerable code in app/Helper/UrlHelper.php used the $this->server() method as a fallback when application_url was not configured. This method ultimately derived the base URL from the SERVER_NAME or related server variables, which can be influenced by the incoming Host header in many server configurations.
Attack Vector
The attack is network-based and requires user interaction. An attacker must convince a victim to click a poisoned password reset link. The attack flow involves:
- Attacker identifies a target user's email address on a vulnerable Kanboard instance
- Attacker sends a password reset request with a crafted Host header pointing to their controlled domain
- Victim receives a legitimate-looking password reset email from Kanboard
- The reset link in the email points to the attacker's domain instead of the legitimate application
- When victim clicks the link, the reset token is captured by the attacker
- Attacker uses the token to reset the victim's password and gain access
// Vulnerable code in app/Helper/UrlHelper.php (before patch)
public function base()
{
if (empty($this->base)) {
$this->base = $this->configModel->get('application_url') ?: $this->server();
}
return $this->base;
}
// Patched code (version 1.2.46+)
public function base()
{
if (empty($this->base)) {
$this->base = $this->configModel->get('application_url') ?: 'http://localhost/';
}
return $this->base;
}
Source: GitHub Commit bca2bd7
Detection Methods for CVE-2025-52560
Indicators of Compromise
- Password reset emails containing links pointing to unexpected or unknown domains
- Web server logs showing password reset requests with unusual or suspicious Host header values
- Users reporting receipt of password reset emails they did not request
- Failed login attempts following suspicious password reset activity
Detection Strategies
- Monitor web server access logs for password reset endpoints (/password/reset) with abnormal Host headers that don't match your legitimate domain
- Implement email gateway monitoring to detect outbound password reset emails containing unexpected URLs
- Review Kanboard configuration to verify whether application_url is explicitly set
- Deploy Web Application Firewall (WAF) rules to detect and block requests with mismatched or suspicious Host headers
Monitoring Recommendations
- Enable detailed logging for authentication-related endpoints in Kanboard
- Set up alerts for multiple password reset requests targeting the same user account in short succession
- Monitor for password changes following password reset requests, especially for administrator accounts
- Implement network-level monitoring for outbound connections from your Kanboard server to unusual domains
How to Mitigate CVE-2025-52560
Immediate Actions Required
- Upgrade Kanboard to version 1.2.46 or later immediately
- If immediate upgrade is not possible, explicitly configure the application_url setting in your Kanboard configuration
- Review recent password reset activity logs for any suspicious patterns
- Consider forcing password resets for privileged accounts as a precautionary measure
- Notify users about the vulnerability and advise them to verify the domain in any password reset links before clicking
Patch Information
The vulnerability has been addressed in Kanboard version 1.2.46. The fix modifies the URL helper to use a safe default value (http://localhost/) instead of deriving the base URL from potentially attacker-controlled server variables. Organizations should upgrade to version 1.2.46 or later to remediate this vulnerability.
For more details, see the GitHub Security Advisory GHSA-2ch5-gqjm-8p92 and the security patch commit.
Workarounds
- Set the application_url configuration parameter to your legitimate application URL in Kanboard's configuration
- Configure your web server or reverse proxy to reject requests with unexpected Host header values
- Implement strict Host header validation at the infrastructure level using a WAF or proxy
- Temporarily disable the password reset functionality if an immediate upgrade is not feasible
# Configuration example - Set application_url in config.php
# Add or modify this line in your Kanboard config.php file:
define('APP_BASE_URL', 'https://your-kanboard-domain.com/');
# Alternatively, configure via the admin interface:
# Settings > Application settings > Application URL
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
