Home / Vulnerability Intelligence / CVE-2025-70948

CVE-2025-70948 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 6, 2026

@perfood/couch-auth - Host Header Injection

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

@perfood/couch-auth 0.26.0 contains a host header injection caused by improper validation of the HTTP Host header in the mailer component, letting attackers obtain reset tokens and execute account takeover via spoofing.

Severity & Score

Severity: Critical

CVSS Score: 9.3

Impact

Attackers can obtain reset tokens and take over user accounts, compromising account security.

Mitigation

Update to the latest version.

References

https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e
https://github.com/perfood/couch-auth
https://www.npmjs.com/package/@perfood/couch-auth

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-70948
Severity: Critical
CVSS Score: 9.3
Type: host_header_injection
Status: new

CWE

CWE-644

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N