CVE-2025-27913

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27913

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27913.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27913

Published

2025-03-10T20:15:14Z

Modified

2025-06-20T03:57:15.836411Z

Summary

[none]

Details

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

References

https://www.passbolt.com/incidents/host-header-injection

Affected packages

Git / github.com/passbolt/passbolt_api

Affected ranges

Type: GIT
Repo: https://github.com/passbolt/passbolt_api
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bc9c755ed5ca8cfd03bf5fff1689cc2a8db9a9f3

Affected versions

3.*

3.6.0

3.6.0-1

3.7.0

3.7.0-1

v1.*

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.9

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.7

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.12.1

v2.13.0

v2.13.1

v2.13.5

v2.2.0

v2.3.0

v2.4

v2.5.0

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.9.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.12.0-rc.1

v3.12.0-rc.2

v3.12.2

v3.12.2-rc.1

v3.2.0

v3.2.0-1

v3.2.1

v3.2.1-1

v3.3.0

v3.3.0-1

v3.3.1

v3.3.1-1

v3.4.0

v3.4.0-1

v3.4.0-2

v3.4.0-3

v3.5.0

v3.5.0-1

v3.5.0-3

v3.6.0

v3.7.0

v3.7.1

v3.7.1-1

v3.7.2

v3.7.2-1

v3.7.3

v3.7.3-1

v3.8.0

v3.8.0-1

v3.8.0-2

v3.8.1

v3.8.1-1

v3.8.3

v3.8.3-1

v3.9.0

v4.*

v4.0.0

v4.0.0-rc.2

v4.0.0-rc.3

v4.0.0-rc.4

v4.0.0-rc.5

v4.0.1

v4.0.1-rc.1

v4.0.2

v4.0.2-rc.1

v4.1.0

v4.1.0-rc.2

v4.1.0-rc.3

v4.1.1

v4.1.1-rc.1

v4.1.1-rc.2

v4.1.2

v4.1.2-rc.2

v4.10.0

v4.10.0-rc.1

v4.10.0-test.1

v4.10.1

v4.10.1-test.1

v4.11.0

v4.11.0-test.1

v4.11.0-test.2

v4.11.0-test.3

v4.11.1

v4.11.1-test.1

v4.12.0

v4.12.0-rc.1

v4.12.0-test.1

v4.12.1

v4.12.1-test.1

v4.2.0

v4.2.0-rc.1

v4.2.0-rc.2

v4.2.0-test.1

v4.2.0-test.2

v4.3.0

v4.3.0-rc.1

v4.3.0-test.1

v4.3.0-test.2

v4.4.0

v4.4.0-rc.1

v4.4.0-test.1

v4.4.0-test.2

v4.4.0-test.3

v4.4.1

v4.4.1-test.1

v4.4.1-test.2

v4.4.1-test.3

v4.4.2

v4.4.2-test.1

v4.5.0

v4.5.0-rc.1

v4.5.0-test.1

v4.5.2

v4.5.2-test.1

v4.6.0

v4.6.0-rc.1

v4.6.0-rc.2

v4.6.0-test.1

v4.6.1

v4.6.1-test.1

v4.6.2

v4.6.2-test.1

v4.6.2-test.2

v4.7.0

v4.7.0-rc.1

v4.7.0-test.1

v4.7.0-test.2

v4.8.0

v4.8.0-rc.1

v4.8.0-test.1

v4.9.0

v4.9.0-rc.1

v4.9.0-test.1

v4.9.0-test.2

v4.9.1

v4.9.1-test.1

v5.*

v5.0.0-rc.1

v5.0.0-rc.2

v5.0.0-test.1

v5.0.0-test.2

v5.0.0-test.3

v5.0.0-test.4