CVE-2025-61536 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An…
High CVSS: 8.2

CVE-2025-61536

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.
Vendor
-
Product
-
CWE
CWE-620
Yayın Tarihi
2025-10-16 15:15:34
Güncelleme
2025-10-16 16:15:38
Source Identifier
cve@mitre.org
KEV Date Added
-

Kategoriler

CWE-620 HIGH 2025

Referanslar

https://github.com/FelixRiddle/dev-jobs-handlebars/ https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61536