CVE-2025-61536

Published
View on NVD ↗
CVSS v3
8.2
HIGH
CVSS v2
N/A
Affected
2
PROJECTS

Description

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.

bugdotexe/Vulnerability-Research
bugdotexe/Vulnerability-ResearchUNAVAILABLE
This repository contains my independent vulnerability research, including CVEs, bug reports, and analysis of various software and platforms.
GitHubGitHub
1
FelixRiddle/dev-jobs-handlebars
FelixRiddle/dev-jobs-handlebars
GitHubGitHub