Skip to main content

HotelRunner B2B CVE-2025-4295

MEDIUM
Improper Validation of Certificate with Host Mismatch (CWE-297)
2025-07-22 iletisim@usom.gov.tr
4.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:57 vuln.today

DescriptionCVE.org

Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.

This issue affects B2B: before 04.06.2025.

AnalysisAI

HTTP Response Splitting in HotelRunner's B2B hospitality platform stems from improper certificate-host mismatch validation (CWE-297), enabling an authenticated low-privilege attacker to inject crafted headers into HTTP responses when a victim user interacts with the vulnerable flow. Successful exploitation can lead to cache poisoning, session hijacking, or content injection with limited confidentiality and integrity impact (C:L/I:L). No public exploit exists and EPSS sits at 0.07% (21st percentile), indicating no observed widespread exploitation at time of analysis.

Technical ContextAI

CWE-297 (Improper Validation of Certificate with Host Mismatch) describes a class of flaw where an application accepts TLS/SSL certificates without verifying that the certificate's Common Name or Subject Alternative Name matches the intended remote host. In HotelRunner B2B, this flawed outbound connection validation creates a pathway for HTTP Response Splitting: by not enforcing strict certificate-to-hostname binding, the application can be manipulated into relaying or processing attacker-controlled HTTP header content containing CR/LF injection characters (\r\n). This allows the attacker to terminate one HTTP response and inject a synthetic second response, a classic response-splitting scenario. No CPE strings were provided in the source data; affected scope is identified solely as the HotelRunner B2B product before the 04.06.2025 patch release. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:U) confirms the flaw is remotely reachable with low complexity but requires an authenticated session and a victim user interaction step.

Affected ProductsAI

HotelRunner B2B is affected in all versions released before 04.06.2025 (June 4, 2025). No CPE strings were included in the source data, so exact platform or component-level scoping beyond the product line is not available from this dataset. The vulnerability was reported and disclosed by the Turkish national cybersecurity authority USOM (iletisim@usom.gov.tr) with advisory TR-25-0169 published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0169 and https://www.usom.gov.tr/bildirim/tr-25-0169.

RemediationAI

Update HotelRunner B2B to the version released on or after 04.06.2025, which addresses the certificate-host mismatch validation flaw. The fix is confirmed by the Turkish USOM advisory TR-25-0169 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0169). An exact semantic version number was not published in the available source data - the advisory should be consulted directly to confirm the patched build identifier. If immediate patching is not feasible, consider restricting access to the B2B portal to trusted internal networks or VPN-only access to reduce the attacker population that can supply the required low-privilege authenticated session. Additionally, deploying a WAF rule to strip or reject HTTP headers containing encoded CR/LF sequences (e.g., %0d%0a, %0a, %0d) on traffic to the B2B application can serve as a compensating control, though this may interfere with legitimate header values and should be tested in a staging environment before production rollout.

Share

CVE-2025-4295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy