VYPR

@perfood/couch Auth

by @perfood

CVEs (3)

  • CVE-2025-70948CriMar 5, 2026
    risk 0.60cvss 9.3epss 0.00

    A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.

  • CVE-2025-70949HigMar 5, 2026
    risk 0.49cvss 7.5epss 0.00

    An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.

  • CVE-2023-39655Jan 3, 2024
    risk 0.00cvss epss 0.01

    A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an…