Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Couch-Auth Email System Allows Attackers to Hijack Accounts
CVE-2025-70948
GHSA-qw8v-34ww-6q9p
GHSA-qw8v-34ww-6q9p
Summary
A security weakness in the email system of Couch-Auth allows hackers to redirect emails and steal account reset tokens, potentially giving them control over user accounts. This could lead to unauthorized access to sensitive information. Update Couch-Auth to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| perfood | couch-auth | <= 0.26.0 | – |
| perfood | @perfood/couch-auth | <= 0.26.0 | – |
Original title
@perfood/couch-auth has a host header injection vulnerability
Original description
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
nvd CVSS3.1
9.3
Vulnerability type
CWE-644
CWE-74
Injection
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026