CVE-2025-61136

high

Description

A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.

References

https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/utils_smtp.py#L191-L206

https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/routes_login.py#L188-L217

https://gist.github.com/BrookeYangRui/145e529b5fd4f56af299efde37edf4fa

https://drive.google.com/file/d/15X5L1uEqgWOLrjKqm96cEPAWp2ph0zJp/view?usp=sharing

Details

Source: Mitre, NVD

Published: 2025-10-23

Updated: 2025-10-27

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:C

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Severity: High

EPSS

EPSS: 0.00128