Cyber Resilience

CVE-2025-70948

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0035 26.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70948 is a critical-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Npmjs (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70948 is a host header injection vulnerability in the mailer component of the @perfood/couch-auth package version 0.26.0. This flaw enables attackers to spoof the HTTP Host header, allowing them to obtain password reset tokens. The vulnerability is classified under CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax) and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for high confidentiality and integrity impacts with changed scope.

Attackers can exploit this vulnerability remotely without authentication by manipulating the Host header during interactions with the affected mailer component, typically in password reset workflows. Exploitation requires user interaction, such as a victim clicking a crafted link or engaging with a spoofed email. Successful attacks allow retrieval of reset tokens, enabling full account takeover on targeted systems using the vulnerable Couch-auth implementation.

For mitigation details, security practitioners should review the referenced advisories and resources, including the GitHub repository at https://github.com/perfood/couch-auth, the npm package page at https://www.npmjs.com/package/@perfood/couch-auth, and the detailed disclosure gist at https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e, which may provide patch information, version updates, or workaround guidance. The CVE was published on 2026-03-05.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Host header injection in public-facing mailer directly enables remote exploitation of web app (T1190) and facilitates delivery of spoofed password reset links via phishing (T1566.002) for account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26747Shared CWE-644
CVE-2025-64425Shared CWE-644
CVE-2026-33149Shared CWE-644
CVE-2026-26234Shared CWE-644
CVE-2025-52660Shared CWE-644
CVE-2026-48126Shared CWE-644

Affected Assets

Npmjs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by identifying, reporting, and correcting the host header injection flaw in the @perfood/couch-auth v0.26.0 mailer component through patching or upgrades.

prevent

Requires validation of HTTP Host header inputs in the mailer component to neutralize injection attempts and prevent spoofing that leads to reset token theft.

prevent

Enforces boundary protection via proxies or web application firewalls to monitor, inspect, and validate Host headers before reaching the vulnerable mailer component.

References