CVE-2025-70948

EUVD-2025-208327
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
References
https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e
https://github.com/perfood/couch-auth
https://www.npmjs.com/package/@perfood/couch-auth