CVE-2025-27913: Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send...

2.1 CVSS

Description

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Classification

CVE ID: CVE-2025-27913

CVSS Base Severity: LOW

CVSS Base Score: 2.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Problem Types

CWE-348 Use of Less Trusted Source

Affected Products

Vendor: Passbolt

Product: API

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.73% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27913
https://www.passbolt.com/incidents/host-header-injection

Timeline

2025-03-10 21:40:19 UTC
CVE

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send...