CVE-2025-61536
Published: 16 October 2025
Summary
CVE-2025-61536 is a high-severity Unverified Password Change (CWE-620) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-34769
Vulnerability details
FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links…
more
to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.