Host Header Injection Vulnerability in CTFd by CTFd
CVE-2025-23001

6.1MEDIUM

Key Information:

Vendor: CTFd
Status: CTFd
Vendor: CVE Published:; 31 January 2025

What is CVE-2025-23001?

A Host Header Injection vulnerability exists in CTFd version 3.7.5 due to inadequate validation and sanitization of the Host header. This weakness allows attackers to alter the Host header in HTTP requests, potentially leading to various security issues, including phishing attacks, unauthorized password resets, and cache poisoning. Properly configuring host header validation is crucial to mitigate the risks associated with this type of vulnerability.

References

https://github.com/CTFd/CTFd

https://codetoanbug.com/poc-cve-2025-23001-ctfd-english/

https://blog.ctfd.io/ctfd-3-7-6/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 31, 2025
Vulnerability Reserved
Jan 9, 2025