Host Header Injection in Drawing-Captcha APP by Drawing-Captcha
CVE-2025-62428

8.8HIGH

Key Information:

Vendor: Drawing-captcha
Status: Drawing-captcha-app
Vendor: CVE Published:; 16 October 2025

🔔 Create Drawing-captcha Vulnerability Alert

What is CVE-2025-62428?

The vulnerability within Drawing-Captcha APP enables Host Header Injection via the /register and /confirm-email endpoints. This allows attackers to craft malicious email confirmation links, potentially redirecting users to hostile domains. Users relying on email confirmations for account setups or verifications are at risk. A patch addressing this issue has been released in version 1.2.5-alpha-patch.

Affected Version(s)

Drawing-Captcha-APP < 1.2.5-alpha-patch

References

https://github.com/Drawing-Captcha/Drawing-Captcha-APP/se...

x_refsource_CONFIRM

https://github.com/Drawing-Captcha/Drawing-Captcha-APP/is...

x_refsource_MISC

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 13, 2025

JSON