Introduction
A vulnerability identified by security researcher David Silva allows an attacker to manipulate the host header to send malicious URL in the emails, when the server is misconfigured and fullBaseUrl is not set.
- CVSS Score: Low 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
- CVE: CVE-2025-27913
- Vulnerability Type: Host header injection
- Product affected: Passbolt API
- Versions affected: Passbolt API <= v4.11.1
- Version fixed: Passbolt v4.11.1 (via Feature Flag) / v5 (future)
- Affected component: URL Router
Vulnerability details
The vulnerability allows an attacker, for a given misconfigured server, to define the base URL that will be used in emails created by unauthenticated endpoints (such as account recovery), by using the Host header sent by the client. An administrator that ignored the healthcheck results as well as the installation instructions and configured a server without fullBaseUrl set or server_name may expose their system to such a vulnerability.
Impact analysis
Impact on the integrity of the content is limited to the emails and requires the server to be misconfigured. It also requires the user to click on the created malicious link to further exploit it.
Root cause analysis
In the absence of fullBaseUrl being set by the system administrator, the system will fall back to using the environment variable HTTP_HOST that may be set via several means in PHP. For example, it can be set via the web server configuration (typically by using the server_name directive on NGINX). In the absence of something else, it will default to the HTTP Host header, which can then be selected by the attacker.
Mitigation and remediations
The long-term solution is to prevent Passbolt from being configured without fullBaseUrl set and, by default, trigger an error.
A partial fix was released as part of Passbolt API v4.11.1 behind a configuration flag, in order to keep backward compatibility and to prevent breaking legitimate configurations that need to set the Host header dynamically (for example, via a proxy or load balancer). However, it will default to an error in version 5. That error can be bypassed for administrators that want to keep the behavior.
This new flag is called passbolt.security.fullBaseUrlEnforce, and can be set via the environment variable PASSBOLT_SECURITY_FULLBASEURL_ENFORCE. It was added to enforce the presence of the fullBaseUrl setting. This flag is set to false in version 4.11.1 and will be set to true in version 5.
In addition, more health-check information, as well as an application warning, were added to let the administrator know more about the vulnerability. The log warning can be disabled by setting passbolt.security.emptyFullBaseUrlWarn, accessible via the environment variable PASSBOLT_SECURITY_EMPTY_FULLBASEURL_WARN, to false.
Acknowledgments
Passbolt would like to acknowledge and thank David Silva for bringing this issue to the attention of the Passbolt Community.
Timeline of events
- 2025-01-16: Vulnerability reported by security researcher
- 2025-01-16: Vulnerability analysis and acknowledgement to security researcher
- 2025-02-18: A fix is published as part of Passbolt API v4.11.1
- 2025-02-18: Incident page published
- 2025-02-19: CVE requested to create awareness about the issue
- 2025-03-11: CVE number added
Current status:
1. Try first to reproduce the issue
2. Acknowledge to the reporter
3. Get a fix/patch prepared
4. Release new version.
5. Prepare a report about the issue.
6. Feature the problem in an incident page.
