Remote Account Takeover Vulnerability in Natours Tour Booking API
CVE-2025-53373

8.9HIGH

Key Information:

Vendor: Ahmed-elgaml11
Status: Natours
Vendor: CVE Published:; 7 July 2025

🔔 Create Ahmed-elgaml11 Vulnerability Alert

What is CVE-2025-53373?

The Natours Tour Booking API is vulnerable to account takeover due to improper handling of the Host header in requests to the /forgetpassword endpoint. An attacker can exploit this vulnerability by sending a crafted request with a malicious server domain, granting them unauthorized control over any user account. This issue has been addressed in a recent commit, and users are encouraged to update their implementations to mitigate potential risks.

Affected Version(s)

Natours < 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b

References

https://github.com/ahmed-elgaml11/Natours/security/adviso...

x_refsource_CONFIRM

https://github.com/ahmed-elgaml11/Natours/commit/7401793a...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jun 27, 2025