CVE-2025-25477
Published: 28 February 2025
Summary
CVE-2025-25477 is a high-severity Injection (CWE-74) vulnerability in Syspass Syspass. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-25477 is a host header injection vulnerability in SysPass 3.2x. Published on 2025-02-28, it enables an attacker to load malicious JavaScript files from an arbitrary domain, which are subsequently executed in the victim's browser. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-74 (Improper Neutralization of Special Elements in Output).
An unauthenticated attacker can exploit this over the network with low attack complexity, though it requires user interaction such as a victim accessing a crafted link or page. By injecting a malicious host header, the attacker causes SysPass to fetch and execute arbitrary JavaScript in the victim's browser context, achieving high impacts on confidentiality and integrity, such as stealing sensitive data, session tokens, or performing further client-side attacks.
Mitigation details are available in the referenced advisory at https://github.com/sysentr0py/CVEs/tree/main/CVE-2025-25477.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5488
Vulnerability details
A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Host header injection enables SysPass to serve malicious JS from attacker-controlled domains, facilitating drive-by compromise (T1189), JavaScript execution (T1059.007), session cookie theft (T1539), and credential theft from web browsers/password manager context (T1555.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates HTTP host headers to block injection of arbitrary domains that lead to loading malicious JavaScript in the victim's browser.
Filters outputs containing host-derived values in script sources to neutralize special elements and prevent execution of injected malicious JavaScript.
Remediates the specific host header injection flaw in SysPass 3.2x through timely patching and testing of software updates.