CVE-2025-70948 Overview
A host header injection vulnerability exists in the mailer component of @perfood/couch-auth version 0.26.0. This vulnerability allows attackers to obtain password reset tokens and execute account takeover attacks by spoofing the HTTP Host header. When a user requests a password reset, the mailer component uses the Host header to construct the reset link URL. An attacker can manipulate this header to point to a malicious domain they control, causing the reset token to be sent to their server when the victim clicks the link.
Critical Impact
Attackers can hijack user accounts by intercepting password reset tokens through Host header manipulation, leading to complete account takeover without requiring any authentication.
Affected Products
- @perfood/couch-auth v0.26.0
- Applications using the couch-auth mailer component for password reset functionality
Discovery Timeline
- 2026-03-05 - CVE CVE-2025-70948 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-70948
Vulnerability Analysis
This host header injection vulnerability affects the password reset functionality within the @perfood/couch-auth npm package. The mailer component fails to properly validate or sanitize the HTTP Host header when constructing password reset URLs. When a legitimate user initiates a password reset request, the application uses the Host header value directly to build the reset link that gets emailed to the user.
An attacker can exploit this by intercepting or initiating a password reset request while injecting a malicious Host header pointing to an attacker-controlled domain. The victim receives an email with a reset link that appears legitimate but actually points to the attacker's server. When the victim clicks this link, the password reset token is transmitted to the attacker, who can then use it to reset the victim's password and gain full control of their account.
Root Cause
The root cause of this vulnerability is improper input validation of the HTTP Host header in the mailer component. The application trusts the Host header value provided in the HTTP request without proper validation or sanitization. Instead of using a configured, trusted base URL for password reset links, the code dynamically constructs the URL using the potentially attacker-controlled Host header value.
Attack Vector
The attack exploits the trust relationship between the application and the HTTP Host header. An attacker targets a specific user by initiating or manipulating a password reset request:
- The attacker identifies a target user account
- The attacker initiates a password reset request while injecting a malicious Host header (e.g., evil-attacker.com)
- The vulnerable mailer component constructs the reset URL using the spoofed Host header
- The victim receives an email with a reset link pointing to evil-attacker.com
- When the victim clicks the link, the reset token is sent to the attacker's server
- The attacker uses the captured token to reset the victim's password and take over the account
For technical exploitation details and proof of concept, refer to the GitHub PoC Gist.
Detection Methods for CVE-2025-70948
Indicators of Compromise
- Unusual or external Host header values in password reset request logs
- Password reset emails containing URLs pointing to unexpected or malicious domains
- Multiple password reset requests for the same account from different network locations
- User reports of receiving password reset emails with suspicious links
Detection Strategies
- Implement logging and monitoring for all Host header values in password reset requests
- Configure web application firewalls (WAF) to detect and block requests with suspicious Host headers
- Set up alerts for password reset requests where the Host header doesn't match expected application domains
- Review email logs for reset links containing unexpected domain names
Monitoring Recommendations
- Monitor authentication logs for account takeover indicators following password reset attempts
- Set up anomaly detection for password reset patterns, especially multiple resets for high-value accounts
- Implement real-time alerting for Host header values that don't match the application's configured domains
- Track and alert on failed login attempts followed by successful password resets
How to Mitigate CVE-2025-70948
Immediate Actions Required
- Upgrade @perfood/couch-auth to a patched version if available
- Configure your application to use a hardcoded, trusted base URL for password reset links instead of relying on the Host header
- Implement Host header validation to reject requests with unexpected Host values
- Review recent password reset activity for signs of exploitation
Patch Information
Check the GitHub Couch Auth Repository for the latest security updates and patches. Monitor the npm Package for Couch Auth for version updates that address this vulnerability.
Workarounds
- Configure the application to use a static, trusted base URL for all password reset links rather than deriving it from the Host header
- Implement server-side Host header validation that only accepts known, trusted domain values
- Deploy a reverse proxy or WAF that normalizes or validates the Host header before requests reach the application
- Consider implementing additional password reset safeguards such as verification through a secondary channel
# Example: Configure trusted host in environment
export APP_BASE_URL="https://your-trusted-domain.com"
# Example: Nginx configuration to validate Host header
# Add to server block to reject requests with untrusted Host headers
if ($host !~* ^(your-trusted-domain\.com)$) {
return 444;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
