CVE-2025-27913
Published: 10 March 2025
Description
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Security Summary
CVE-2025-27913 affects the Passbolt API in versions before 5. The vulnerability arises when the server is misconfigured through an incorrect installation process and disregard of Health Check results, enabling the API to send email messages that incorporate a domain name sourced from an attacker-controlled HTTP Host header. This constitutes a Host Header Injection issue, mapped to CWE-348, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting HTTP requests with a manipulated Host header, they can influence the domain used in emails sent by the Passbolt server, achieving high integrity impact through potential email spoofing.
The official advisory from Passbolt, available at https://www.passbolt.com/incidents/host-header-injection, provides details on mitigation steps for this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a host header injection flaw in a public-facing Passbolt API that enables remote unauthenticated attackers to manipulate email domains sent by the server, directly facilitating email spoofing (T1672) via exploitation of a public-facing application (T1190).