CVE-2023-39655

Vulnerability

Description

A host header injection vulnerability resides in the password reset functionality of @perfood/couch-auth, an authentication solution for CouchDB [1]. When a forgot-password request is processed, the application constructs a password reset link using the value of the Host HTTP header without proper validation or sanitization [2]. This allows an attacker to inject their own server's host into the generated link.

Attack

Vector and Prerequisites

The attacker sends a specially crafted Host header in a password reset request for any targeted user [3]. No authentication is required to trigger the forgot-password flow. The package documentation notes that CouchAuth is typically deployed behind a load balancer [1], but the vulnerable code does not depend on any particular network infrastructure.

Impact

If the targeted user clicks the link (which appears to come from a legitimate source, but points to the attacker's server), the password reset token is sent to the attacker [2]. With the token, the attacker can complete the password reset process and change the victim's password, thereby gaining full account control [3].

Mitigation

Status

The vulnerability exists in versions ≤0.20.0. As of the publication date, no patched version has been released [3]. Users should monitor the repository for a fix or implement a workaround such as validating the Host header against a whitelist of allowed origins at the reverse proxy level.