All incidents

Host header injection

Introduction

  • CVSS Score: Low 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
  • CVE: CVE-2025-27913
  • Vulnerability Type: Host header injection
  • Product affected: Passbolt API
  • Versions affected: Passbolt API <= v4.11.1
  • Version fixed: Passbolt v4.11.1 (via Feature Flag) / v5 (future)
  • Affected component: URL Router

Vulnerability details

Impact analysis

Root cause analysis

Mitigation and remediations

Acknowledgments

Timeline of events

  • 2025-01-16: Vulnerability reported by security researcher
  • 2025-01-16: Vulnerability analysis and acknowledgement to security researcher
  • 2025-02-18: A fix is published as part of Passbolt API v4.11.1
  • 2025-02-18: Incident page published
  • 2025-02-19: CVE requested to create awareness about the issue
  • 2025-03-11: CVE number added

Current status:

Flag of European UnionMade in Europe. Privacy by default.