High severity8.2NVD Advisory· Published Oct 16, 2025· Updated Apr 15, 2026
CVE-2025-61536
CVE-2025-61536
Description
FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted req.headers.host header and forces the http:// scheme. An attacker who can control the Host header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.