JobCenter icon indicating copy to clipboard operation
JobCenter copied to clipboard
verified publisher icon guomaoqiu

[SECURITY] Host Header Injection Leading to Account Takeover (CVE-2025-43932)

Open BrookeYangRui opened this issue 6 months ago • 0 comments

Security Advisory: Host Header Injection Leading to Password Reset Poisoning

Description
JobCenter is vulnerable to Host Header injection due to the absence of a properly configured SERVER_NAME in the Flask application. Consequently, url_for(..., _external=True) relies on the incoming Host header, which can be spoofed by an attacker to redirect the password reset link to a malicious domain, allowing token interception.

Affected Project:
guomaoqiu/JobCenter — commit 7e7b0b2.

Affected Code:
https://github.com/guomaoqiu/JobCenter/blob/7e7b0b2/app/templates/auth/email/reset_password.txt

Impact:

  • Remote account takeover

Attack Vector:
The attacker manipulates the Host header to generate a reset link pointing to an attacker-controlled site. When the victim uses this link, the token leaks to the attacker.

Recommended Remediation:

  • Configure SERVER_NAME in app.config.
  • Sanitize or validate the Host header.
  • Remove _external=True if it is not strictly necessary.

CVE ID:
CVE-2025-43932

Reported by:
Rui Yang and Zhengyu Liu

Reference:
PortSwigger: Password Reset Poisoning

Disclosure Policy:
If the issue is not resolved within 90 days, public disclosure will be coordinated via the CVE authority.

For maintainers:
Please consider converting this issue into an official GitHub Security Advisory.
CVE ID reserved: CVE-2025-43932.

BrookeYangRui avatar Jun 13 '25 22:06 BrookeYangRui