HTTP Host Header Injection in Icewarp Mail Server
CVE-2025-40631

2LOW

Key Information:

Vendor: Icewarp
Status: Icewarp Mail Server
Vendor: CVE Published:; 16 May 2025

What is CVE-2025-40631?

The Icewarp Mail Server is susceptible to an HTTP host header injection vulnerability. By manipulating the Host header to include a malicious payload, attackers can execute arbitrary JavaScript code upon page load. This exploitation requires user interaction with a malicious link, potentially compromising the security of the user's session and sensitive information.

Affected Version(s)

Icewarp Mail Server 11.4.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

B3xal

CVE-2025-40631 Data

JSON