CVE-2025-70948
Published: 05 March 2026
Summary
CVE-2025-70948 is a critical-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Npmjs (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and correcting the host header injection flaw in the @perfood/couch-auth v0.26.0 mailer component through patching or upgrades.
Requires validation of HTTP Host header inputs in the mailer component to neutralize injection attempts and prevent spoofing that leads to reset token theft.
Enforces boundary protection via proxies or web application firewalls to monitor, inspect, and validate Host headers before reaching the vulnerable mailer component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Host header injection in public-facing mailer directly enables remote exploitation of web app (T1190) and facilitates delivery of spoofed password reset links via phishing (T1566.002) for account takeover.
NVD Description
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
Deeper analysisAI
CVE-2025-70948 is a host header injection vulnerability in the mailer component of the @perfood/couch-auth package version 0.26.0. This flaw enables attackers to spoof the HTTP Host header, allowing them to obtain password reset tokens. The vulnerability is classified under CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax) and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for high confidentiality and integrity impacts with changed scope.
Attackers can exploit this vulnerability remotely without authentication by manipulating the Host header during interactions with the affected mailer component, typically in password reset workflows. Exploitation requires user interaction, such as a victim clicking a crafted link or engaging with a spoofed email. Successful attacks allow retrieval of reset tokens, enabling full account takeover on targeted systems using the vulnerable Couch-auth implementation.
For mitigation details, security practitioners should review the referenced advisories and resources, including the GitHub repository at https://github.com/perfood/couch-auth, the npm package page at https://www.npmjs.com/package/@perfood/couch-auth, and the detailed disclosure gist at https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e, which may provide patch information, version updates, or workaround guidance. The CVE was published on 2026-03-05.
Details
- CWE(s)