CVE-2025-25198
Published: 12 February 2025
Summary
CVE-2025-25198 is a high-severity Open Redirect (CWE-601) vulnerability in Mailcow Mailcow\. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
mailcow: dockerized, an open source groupware and email suite, is affected by an open redirect vulnerability in its password reset functionality prior to version 2025-01a. The flaw allows manipulation of the Host HTTP header during reset requests, causing the generated link to point to an arbitrary domain instead of the legitimate mailcow instance. The issue is tracked as CWE-601 with a CVSS 3.1 score of 7.1.
An unauthenticated attacker can supply a crafted Host header to produce a poisoned password reset email. If a legitimate user follows the link, the attacker can capture the reset token and complete account takeover. The attack requires user interaction but no other privileges on the target system.
The GitHub Security Advisory for GHSA-3mvx-qw4r-fcqf states that version 2025-01a contains the fix. As a workaround, administrators can disable the password reset feature entirely by clearing the Notification email sender and Notification email subject fields under System -> Configuration -> Options -> Password Settings.
EPSS remains low, with a current score of 0.0581 and a peak of 0.0584.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4084
Vulnerability details
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an…
more
attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing mailcow application (password reset Host header manipulation) directly enables exploitation of the app for account takeover via poisoned reset links, mapping to T1190 and subsequent use of valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates HTTP Host header inputs in password reset requests to prevent generation of links pointing to attacker-controlled domains.
Filters generated password reset URLs in email outputs to ensure they only reference trusted domains, blocking poisoned links.
Remediates the flaw in mailcow's password reset functionality by applying the patch released in version 2025-01a.