The vulnerability CVE-2025-61536 affects FelixRiddle dev-jobs-handlebars version 1.0, specifically in the way password reset links are generated. The application constructs absolute password reset URLs by directly using the `req.headers.host` value from incoming HTTP requests without validation and forces the URL scheme to be HTTP rather than HTTPS. Since the Host header is user-controllable in HTTP requests, an attacker who can manipulate this header—either directly or via a misconfigured proxy or load balancer that forwards the Host header unchanged—can cause the application to generate password reset links that point to attacker-controlled domains or are delivered over insecure HTTP connections. This flaw allows attackers to intercept or steal password reset tokens by redirecting victims to malicious domains or by exploiting the lack of encryption in HTTP. The stolen tokens can then be used to reset user passwords, leading to account takeover. The vulnerability does not require authentication and can be exploited remotely, increasing its risk. No official CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date. However, the impact on confidentiality and integrity is significant due to the potential for credential theft and unauthorized access.

For European organizations, this vulnerability can lead to severe security breaches including unauthorized access to user accounts through stolen password reset tokens. The exploitation could facilitate phishing campaigns where users are tricked into clicking malicious reset links, compromising user credentials and organizational data. Organizations relying on FelixRiddle dev-jobs-handlebars or similar frameworks that do not validate Host headers are at risk. The use of HTTP rather than HTTPS exacerbates the risk by enabling token interception via network sniffing, especially in environments with untrusted networks or insufficient TLS enforcement. This could impact sectors with sensitive user data such as finance, healthcare, and government services. Additionally, organizations using proxies or load balancers that do not sanitize or validate Host headers increase their exposure. The breach of user accounts can lead to data leaks, reputational damage, regulatory penalties under GDPR, and operational disruptions.

To mitigate this vulnerability, organizations should implement strict validation or hardcoding of the Host header when generating absolute URLs, avoiding reliance on user-controlled headers. Password reset links should always use HTTPS to ensure encryption in transit. Review and update proxy and load balancer configurations to ensure they do not forward or allow manipulation of the Host header without validation. Employ web application firewalls (WAFs) to detect and block suspicious Host header manipulations. Additionally, implement multi-factor authentication (MFA) to reduce the impact of compromised credentials. Conduct code reviews and security testing to identify similar issues in other parts of the application. Finally, monitor logs for unusual password reset requests or Host header anomalies to detect potential exploitation attempts early.