Host Header Injection Vulnerability in Hotspot Shield VPN Client
CVE-2025-40710

2.3LOW

Key Information:

Vendor: Hotspot Shield
Status: Hotspot Shield Vpn Client
Vendor: CVE Published:; 30 June 2025

🔔 Create Hotspot Shield Vulnerability Alert

What is CVE-2025-40710?

A Host Header Injection vulnerability exists in the Hotspot Shield VPN Client that allows an attacker to manipulate host headers when routing traffic through the VPN. This can lead to unintended HTTP request redirections and may expose users to risks, including the possibility of sending data to malicious servers. The vulnerability is rooted in the interpretation of host headers by the VPN client rather than any inherent flaw in the applications being accessed. As a result, attackers could exploit this issue to redirect user traffic to untrusted environments, potentially facilitating further attacks.

Affected Version(s)

Hotspot Shield VPN client 12.9.2

References

https://www.incibe.es/en/incibe-cert/notices/aviso/host-h...

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2025
Vulnerability Reserved
Apr 16, 2025