Home / Vulnerability Intelligence / CVE-2025-70948

CVE-2025-70948 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 6, 2026

@perfood/couch-auth - Host Header Injection

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

@perfood/couch-auth 0.26.0 contains a host header injection caused by improper validation of the HTTP Host header in the mailer component, letting attackers obtain reset tokens and execute account takeover via spoofing.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 2.9%(Probability of exploitation in next 30 days)

Impact

Attackers can obtain reset tokens and take over user accounts, compromising account security.

Mitigation

Update to the latest version.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🔴 CVE-2025-70948 - Critical (9.3) A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-70948/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-70948
Severity: Critical
CVSS Score: 9.3
Type: host_header_injection
Status: new
EPSS: 2.9%
Social Posts: 1

CWE

CWE-644

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score

2.9%Probability of exploitation in the next 30 days