CVE-2025-62428 | THREATINT

Description

Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-16 | Updated 2025-10-17 | Assigner GitHub_M

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

< 1.2.5-alpha-patch

affected

References

github.com/...ha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m

github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30

cve.org (CVE-2025-62428)

nvd.nist.gov (CVE-2025-62428)

Download JSON