VYPR
High severity8.2NVD Advisory· Published Oct 16, 2025· Updated Apr 15, 2026

CVE-2025-61536

CVE-2025-61536

Description

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted req.headers.host header and forces the http:// scheme. An attacker who can control the Host header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.