CVE-2025-25198
Published: 12 February 2025
Summary
CVE-2025-25198 is a high-severity Open Redirect (CWE-601) vulnerability in Mailcow Mailcow\. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates HTTP Host header inputs in password reset requests to prevent generation of links pointing to attacker-controlled domains.
Filters generated password reset URLs in email outputs to ensure they only reference trusted domains, blocking poisoned links.
Remediates the flaw in mailcow's password reset functionality by applying the patch released in version 2025-01a.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing mailcow application (password reset Host header manipulation) directly enables exploitation of the app for account takeover via poisoned reset links, mapping to T1190 and subsequent use of valid accounts (T1078).
NVD Description
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an…
more
attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Deeper analysisAI
CVE-2025-25198 is a vulnerability in mailcow: dockerized, an open source groupware and email suite based on Docker, affecting versions prior to 2025-01a. It exists in the password reset functionality, where an attacker can manipulate the Host HTTP header to generate a password reset link pointing to an attacker-controlled domain. Classified as CWE-601 (URL Redirection to Untrusted Site), it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N).
The attack requires no privileges and can be launched remotely over the network with low complexity, though it depends on user interaction. An unauthenticated attacker tricks a user into initiating a password reset, intercepts or crafts the request to alter the Host header, and delivers an email with a poisoned link. If the user clicks the link, the attacker achieves account takeover, enabling high integrity impact such as unauthorized access and control over the victim's email account.
The GitHub security advisory (GHSA-3mvx-qw4r-fcqf) confirms that version 2025-01a contains a patch. As a workaround, deactivate password reset by clearing the "Notification email sender" and "Notification email subject" fields under System -> Configuration -> Options -> Password Settings.
Details
- CWE(s)