Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Lifecycle Timeline
6DescriptionGitHub Advisory
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.
AnalysisAI
A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.
Technical ContextAI
Vulnerability type not specified by vendor. CVSS 8.9 indicates high severity. Affects Natours.
RemediationAI
Monitor vendor channels for patch availability.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-20280