CVE-2025-27913

High

Published: 10 March 2025

Published

10 March 2025

Modified

19 June 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0011 29.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27913 is a high-severity Use of Less Trusted Source (CWE-348) vulnerability in Passbolt Passbolt Api. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates HTTP Host header inputs to prevent attacker-controlled domains from being incorporated into email messages.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings during installation to avoid trusting unvalidated Host headers and ensure health check compliance.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw by applying patches or upgrades to Passbolt API version 5 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1684.002 Email Spoofing Stealth

Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.

attack.mitre.org →

Why these techniques?

The vulnerability is a host header injection flaw in a public-facing Passbolt API that enables remote unauthenticated attackers to manipulate email domains sent by the server, directly facilitating email spoofing (T1672) via exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Deeper analysisAI

CVE-2025-27913 affects the Passbolt API in versions before 5. The vulnerability arises when the server is misconfigured through an incorrect installation process and disregard of Health Check results, enabling the API to send email messages that incorporate a domain name sourced from an attacker-controlled HTTP Host header. This constitutes a Host Header Injection issue, mapped to CWE-348, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting HTTP requests with a manipulated Host header, they can influence the domain used in emails sent by the Passbolt server, achieving high integrity impact through potential email spoofing.

The official advisory from Passbolt, available at https://www.passbolt.com/incidents/host-header-injection, provides details on mitigation steps for this issue.

Details

CWE(s): CWE-348

Affected Products

passbolt

passbolt api

≤ 5.0.0

CVEs Like This One

CVE-2025-69240Shared CWE-348

CVE-2025-55292Shared CWE-348

CVE-2026-35391Shared CWE-348

References

https://www.passbolt.com/incidents/host-header-injection
Mitigation, Vendor Advisory · cve@mitre.org