Host Header Injection Vulnerability in Perfood's Couch-Auth Package
CVE-2024-57177

7.3HIGH

Key Information:

Vendor
Perfood
Status
Couch-Auth
Vendor
CVE Published:
10 February 2025

Summary

A host header injection vulnerability in Perfood's Couch-Auth NPM package allows attackers to manipulate the host header in an email change confirmation request. This vulnerability can lead to server-side template injection (SSTI), enabling adversaries to execute limited commands or disclose sensitive server-side information by sending crafted requests.

References

https://github.com/perfood/couch-auth
https://github.com/waristea/cve-research/tree/main/CVE-20...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.