CVE-2025-63828

Vulnerability

Description

The vulnerability is a Host Header Injection in Backdrop CMS version 1.32.1, specifically within the password reset functionality. The application fails to validate or sanitize the Host header provided in HTTP requests, allowing an attacker to inject arbitrary values [1]. This flaw originates from the lack of strict checking of the Host header when generating password reset links [2].

Exploitation

To exploit this vulnerability, an attacker can craft a password reset request with a manipulated Host header pointing to a malicious domain. When a user clicks the password reset link in the email, the user's browser may be redirected to the attacker-controlled domain. The attack requires no authentication and can be performed remotely over the network. Proof-of-concept code is publicly available [3].

Impact

Successful exploitation can lead to redirecting users to malicious websites, potentially resulting in credential theft or malware installation. Additionally, the attacker may inject cookies into the legitimate site's session, leading to session hijacking [1]. This can compromise user accounts and sensitive data.

Mitigation

As of the publication date, no official patch has been released for this vulnerability. Users are advised to implement workarounds such as configuring web server rules to validate the Host header or using a reverse proxy. The vendor has been notified through security channels [2].