ghost123gg
[SECURITY] Host Header Injection Leading to Account Takeover (CVE-2025-43933)
Security Advisory: Host Header Injection Leading to Password Reset Poisoning
Description
fblog contains a Host Header injection vulnerability due to the lack of a configured SERVER_NAME in the Flask application. As a result, url_for(..., _external=True) generates password reset links based on the untrusted Host header. By forging this header, an attacker can hijack the password reset process and take over user accounts.
Affected Project:
ghost123gg/fblog — commit 983bede.
Affected Code:
https://github.com/ghost123gg/fblog/blob/983bedec9f837a54ab2dfd358a9cb45504a2e709/app/templates/auth/email/resetPassword.html#L1-L8
Impact:
- Remote account takeover
Attack Vector:
An attacker crafts a request with a malicious Host header, causing the reset link to point to a domain under their control. The victim clicks the link, exposing the reset token to the attacker.
Recommended Remediation:
- Explicitly set
SERVER_NAME. - Validate or sanitize the
Hostheader. - Remove
_external=Trueif unnecessary.
CVE ID:
CVE-2025-43933
Reported by:
Rui Yang and Zhengyu Liu
Reference:
PortSwigger: Password Reset Poisoning
Disclosure Policy:
If the issue is not resolved within 90 days, public disclosure will be coordinated via the CVE authority.
For maintainers:
Please consider converting this issue into an official GitHub Security Advisory.
CVE ID reserved: CVE-2025-43933.
