Description

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's position is that the end user is supposed to edit the NGINX configuration template to set server_name (with this setting, Host header injection cannot occur).

INFO

Published Date :

2025-01-31T00:00:00.000Z

Last Modified :

2025-02-21T16:51:29.844Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-23001 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-23001.

URL Resource
https://blog.ctfd.io/ctfd-3-7-6/ cve-icon cve-icon
https://codetoanbug.com/poc-cve-2025-23001-ctfd-english/ cve-icon cve-icon
https://github.com/CTFd/CTFd cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact