CVE-2024-29643
Description
Croogo v3.0.2 suffers from Host header injection in the feed.rss component, enabling redirection and content injection attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croogo v3.0.2 suffers from Host header injection in the feed.rss component, enabling redirection and content injection attacks.
Vulnerability
Overview
CVE-2024-29643 is a Host header injection vulnerability in Croogo v3.0.2, a CakePHP-powered content management system [3]. The flaw resides in the feed.rss component, which uses the HTTP Host header value without proper validation [1]. This allows an attacker to manipulate the Host header in requests to the server, leading to potential exploits such as redirecting users to malicious sites, injecting malicious content into pages, or conducting phishing attacks [2].
Attack
Vector
An attacker can exploit this vulnerability by crafting an HTTP request to a Croogo v3.0.2 instance where the Host header is set to a malicious domain (e.g., 'evil.com') [2]. The server accepts this unvalidated header and incorporates it into generated RSS feed links or redirects. No authentication is required for this attack, as the vulnerability is exposed through the feed endpoint [1][2].
Impact
Successful exploitation can cause users to be redirected to attacker-controlled sites or see injected content, undermining the integrity of the web application [2]. This can be leveraged for social engineering, malware distribution, or credential theft.
Mitigation
As of the publication date, no patch is observed in the official Croogo repository [3]. The vendor recommends implementing robust Host header validation, including whitelisting allowed domain values and ensuring generated links use verified host values [2]. Users should apply such mitigations or consider disabling the feed.rss component until a fix is available.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
croogo/croogoPackagist | <= 3.0.2 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation and filtration of the HTTP Host header value in the feed.rss component allows an attacker to inject arbitrary host values into server-generated responses."
Attack vector
An attacker crafts an HTTP request to the Croogo server and manipulates the Host header to contain a malicious domain (e.g., "evil.com") [ref_id=1]. The server then uses this unvalidated Host header value when generating the RSS feed response, which can cause links and redirects within the feed to point to the attacker-controlled domain [ref_id=1]. This can lead to users being redirected to malicious sites, injection of malicious content into pages, or phishing attacks [ref_id=1]. The attack requires no authentication and can be performed over a standard HTTP connection to any exposed Croogo instance [CWE-444] [CWE-74].
Affected code
The vulnerability is in the feed.rss component of Croogo v3.0.2 [ref_id=1]. The server uses the HTTP Host header value without proper validation or filtration when generating RSS feed responses [ref_id=1]. The specific file or function responsible for handling the Host header in the feed.rss endpoint is not identified in the available references.
What the fix does
No patch or code fix is included in the available references. The advisory recommends implementing robust validation and filtration of the Host header value, including verifying that the domain matches expected application domains, ensuring generated links and redirects use validated domain values, and employing whitelisting for allowed Host header values [ref_id=1]. Without a published fix, administrators should apply input validation on the Host header at the web server or application level as a workaround.
Preconditions
- networkThe attacker must be able to send HTTP requests to a publicly accessible Croogo v3.0.2 instance.
- authNo authentication is required; the feed.rss endpoint is publicly accessible.
- configThe server must be configured to use the Host header value from incoming requests without validation.
- inputThe attacker controls the Host header value in the HTTP request.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.