Description

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.

INFO

Published Date :

2025-10-16T00:00:00.000Z

Last Modified :

2025-10-16T15:31:59.365Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61536 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61536.

URL Resource
https://github.com/FelixRiddle/dev-jobs-handlebars/ cve-icon cve-icon
https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61536 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact