CVE-2025-27913

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.passbolt.com/incidents/host-header-injection	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:passbolt:passbolt_api:*:*:*:*:*:*:*:*

History

19 Jun 2025, 00:14

Type	Values Removed	Values Added
References	~~() https://www.passbolt.com/incidents/host-header-injection -~~	() https://www.passbolt.com/incidents/host-header-injection - Vendor Advisory, Mitigation
Summary		(es) La API de Passbolt anterior a la versión 5, si el servidor está mal configurado (con un proceso de instalación incorrecto y sin tener en cuenta los resultados de la comprobación de estado), puede enviar mensajes de correo electrónico con un nombre de dominio tomado de un encabezado de host HTTP controlado por el atacante.
CPE		cpe:2.3:a:passbolt:passbolt_api::::::::
First Time		Passbolt passbolt Api Passbolt

11 Mar 2025, 03:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

10 Mar 2025, 21:15

Type	Values Removed	Values Added
CWE		CWE-348

10 Mar 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 20:15

Updated : 2025-06-19 00:14

NVD link : CVE-2025-27913

Mitre link : CVE-2025-27913

CVE.ORG link : CVE-2025-27913

JSON object : View

Products Affected

passbolt

passbolt_api

CWE

CWE-348

Use of Less Trusted Source

{"id": "CVE-2025-27913", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-10T20:15:14.500", "references": [{"url": "https://www.passbolt.com/incidents/host-header-injection", "tags": ["Vendor Advisory", "Mitigation"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-348"}]}], "descriptions": [{"lang": "en", "value": "Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header."}, {"lang": "es", "value": "La API de Passbolt anterior a la versi\u00f3n 5, si el servidor est\u00e1 mal configurado (con un proceso de instalaci\u00f3n incorrecto y sin tener en cuenta los resultados de la comprobaci\u00f3n de estado), puede enviar mensajes de correo electr\u00f3nico con un nombre de dominio tomado de un encabezado de host HTTP controlado por el atacante."}], "lastModified": "2025-06-19T00:14:38.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:passbolt:passbolt_api:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B392CCF7-6685-4C9F-AD83-9D98B1D1625C", "versionEndExcluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}