CVE-2025-61536 | THREATINT

Description

FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.

PUBLISHED Reserved 2025-09-26 | Published 2025-10-16 | Updated 2025-10-16 | Assigner mitre

References

github.com/FelixRiddle/dev-jobs-handlebars/

github.com/...ulnerability-Research/tree/main/CVE-2025-61536

cve.org (CVE-2025-61536)

nvd.nist.gov (CVE-2025-61536)

Download JSON