Skip to main content

Natours EUVDEUVD-2025-20280

| CVE-2025-53373 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2025-07-07 security-advisories@github.com
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:34 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7401793a8d9ed0f0c250c4e0ee2815d685d7a70b
EUVD ID Assigned
Mar 16, 2026 - 03:37 euvd
EUVD-2025-20280
Analysis Generated
Mar 16, 2026 - 03:37 vuln.today
CVE Published
Jul 07, 2025 - 16:15 nvd
HIGH 8.9

DescriptionGitHub Advisory

Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.

AnalysisAI

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 8.9 indicates high severity. Affects Natours.

RemediationAI

Monitor vendor channels for patch availability.

Share

EUVD-2025-20280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy