Userfrosting - Host-Header Injection Leads to Account Takeover
Description
UserFrosting versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection allowing account takeover via the forgot password functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UserFrosting versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection allowing account takeover via the forgot password functionality.
Vulnerability
UserFrosting versions v0.3.1 through v4.6.2 are vulnerable to Host Header Injection [1]. The forgot password functionality does not properly validate the Host header, allowing an attacker to craft a malicious link that, when clicked by a victim, triggers a password reset request with an attacker-controlled host [1]. This affects the default configuration where site.uri.public is not explicitly set [3].
Exploitation
An unauthenticated attacker can exploit this by luring a victim application user to click on a specially crafted link [1]. The link directs the victim to the forgot password endpoint with a manipulated Host header. The application then sends a password reset email containing a reset link that points to the attacker-controlled host [1]. If the victim clicks the reset link, the attacker can intercept the request and reset the victim's password, gaining access to the account [1].
Impact
Successful exploitation allows the attacker to reset the victim's password and take over their account completely [1]. This results in full compromise of the victim's user account, including access to any data or functionality associated with that account within the UserFrosting application.
Mitigation
The vulnerability is fixed in commit 796dd78 [3], which adds a placeholder URL for site.uri.public in the configuration to guard against Host Header Injection by default in production. Users should upgrade to a version that includes this fix or apply the commit manually. As a workaround, administrators can explicitly set site.uri.public to the correct public URL in the configuration file [3]. No official release containing the fix has been announced as of the publication date [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
userfrosting/userfrostingPackagist | >= 0.3.1, < 4.6.3 | 4.6.3 |
Affected products
2- Range: 0.3.1
Patches
1796dd7875790Placeholder for `site.uri.public` in production
2 files changed · +8 −0
app/sprinkles/core/config/production.php+3 −0 modified@@ -52,6 +52,9 @@ 'ajax' => false, 'info' => false, ], + 'uri' => [ + 'public' => 'https://example.com', + ], ], /* * Send errors to log
CHANGELOG.md+5 −0 modified@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## Unreleased + +### Security +- Added placeholder URL for `site.uri.public` in configuration to guard against Host Header Injection attacks by default in production. + ## [v4.6.2] ### Changes
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-cv25-3gmg-c6m8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25994ghsaADVISORY
- github.com/userfrosting/UserFrosting/commit/796dd78757902435d1bd286415feea78098e45baghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25994ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.