CVE-2025-23001 - Host Header Injection Vulnerability in CTFd 3.7.5: Exploit Details, Code Snippet, and Original References

[Summary]

A Host Header Injection vulnerability (CVE-2025-23001) exists in the open-source Capture The Flag (CTF) platform CTFd version 3.7.5. The vulnerability occurs due to the platform's failure to validate or sanitize the Host header properly. Attackers can exploit this to perform phishing attacks, reset passwords, or poison caches. This post aims to provide in-depth information about the vulnerability, including code snippets, links to original references, and exploitation details.

[Issue Description]

CTFd version 3.7.5 is vulnerable to Host Header Injection because it does not properly validate and sanitize the Host header in the HTTP requests sent by clients. This vulnerability allows attackers to manipulate the Host header value used by the application to generate password reset links or craft phishing scams. It also enables malicious actors to trick web caches into storing user-specific content, potentially leading to cache poisoning.

[Code Snippet]

The vulnerable code resides in the CTFd application, specifically within the utils/emails/__init__.py file. The application generates password reset links without properly validating the Host header. Below is the affected piece of code:

def send_password_reset(email, user):
    reset_token = create_password_reset(user.id)
    reset_link = url_for("auth.reset_password", token=reset_token, _external=True)

In this code snippet, _external=True should be replaced with _scheme="https" and _external=False, effectively sanitizing and validating the Host header.

[Exploit Details]

To exploit this vulnerability, an attacker would first need to intercept an HTTP request from a targeted user. The attacker can then manipulate the Host header within the request to a different domain under their control. This malformed request with an incorrect Host header can lead to unwanted access to sensitive information or unauthorized actions.

The attacker intercepts an HTTP request from the target user to CTFd.

2. The attacker modifies the Host header to their controlled domain, for example, attacker.com, and forwards the request to CTFd.
3. The application, upon receiving the adulterated request, generates a password reset link with the manipulated Host header and sends it to the user.
4. The unsuspecting user clicks on the link, which takes them to the attacker-controlled domain and exposes their sensitive information.

The malicious actor could also leverage this vulnerability to trick web caches into storing user-specific content wrongly, thereby causing cache poisoning.

Here are the original references providing information about this vulnerability

1. CVE-2025-23001 - Mitre
2. CTFd Security Advisory
3. NVD - CVE-2025-23001

[Conclusion]

In conclusion, it is crucial to address the Host Header Injection vulnerability in CTFd application version 3.7.5, as neglecting it could lead to significant security risks, such as phishing attacks, password reset issues, or cache poisoning. Users of the affected version should ensure they are using the latest patched version by regularly checking for updates and following safe coding practices to mitigate such vulnerabilities.

Timeline

Published on: 01/31/2025 17:15:16 UTC
Last modified on: 02/03/2025 17:15:26 UTC