CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2023-39655

CVSS 9.6v3.1pub. 2024-01-03upd. 2025-06-18

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords and take over their accounts.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Perfood Couchauth

    APP
    Perfood
    ≀ 0.20.0
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-60794MEDIUM6.5ten sam produkt

Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory withou...

CVE-2023-39655 β€” Perfood β€” Couchauth β€” CRITICAL β€” CVSS 9.6 | CVEbaza.pl