High severityNVD Advisory· Published Jul 7, 2025· Updated Apr 15, 2026

CVE-2025-53373

Description

Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.

Patches

7401793a8d9e

https://github.com/ahmed-elgaml11/natoursvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ahmed-elgaml11/Natours/commit/7401793a8d9ed0f0c250c4e0ee2815d685d7a70bnvd
github.com/ahmed-elgaml11/Natours/security/advisories/GHSA-8gmw-7p75-58qvnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000