CVE-2025-61543 is a Host Header Injection vulnerability identified in CraftMyCMS version 4.0.2.2, specifically within its password reset functionality. The vulnerability arises because the application directly uses the HTTP Host header ($_SERVER['HTTP_HOST']) to construct password reset URLs sent to users via email. Since the Host header is user-controllable in HTTP requests, an attacker can manipulate this header to inject arbitrary hostnames or domains into the reset link. This manipulation enables attackers to craft malicious password reset emails containing links that direct victims to attacker-controlled domains. Consequently, this can facilitate phishing attacks where users are tricked into divulging credentials or performing unauthorized password resets, potentially leading to account takeover. The vulnerability does not require authentication, and exploitation only requires the ability to send crafted HTTP requests to the vulnerable server. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The lack of input validation or sanitization of the Host header is the root cause. This vulnerability highlights the risk of trusting user-controllable HTTP headers when generating security-sensitive links. Remediation involves validating the Host header against a whitelist or hardcoding the domain used in password reset links to prevent injection of malicious hosts. Organizations should monitor for updates or patches from CraftMyCMS and apply them promptly once available.

For European organizations using CraftMyCMS 4.0.2.2, this vulnerability poses a significant risk to user account security and organizational reputation. Successful exploitation can lead to phishing campaigns leveraging legitimate password reset emails with attacker-controlled links, increasing the likelihood of credential theft. Account takeover risks can result in unauthorized access to sensitive data, disruption of services, and potential lateral movement within networks. The phishing aspect can also damage trust in the organization's communications and brand. Since password reset functionality is commonly used, the attack surface is broad. The vulnerability could be exploited by remote attackers without authentication, increasing the threat level. Organizations with large user bases or handling sensitive information are particularly vulnerable. Additionally, regulatory compliance risks exist if compromised accounts lead to data breaches under GDPR. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation suggests attackers may develop exploits soon.

1. Implement strict validation of the Host header by comparing it against a whitelist of allowed domains or by hardcoding the domain used in password reset URLs, avoiding reliance on user-controllable headers. 2. Modify the password reset functionality to construct URLs using a trusted configuration value rather than $_SERVER['HTTP_HOST']. 3. Monitor and apply official patches or updates from CraftMyCMS as soon as they are released addressing this vulnerability. 4. Employ email security measures such as DMARC, DKIM, and SPF to reduce the effectiveness of phishing emails. 5. Educate users to verify URLs in password reset emails and report suspicious links. 6. Implement multi-factor authentication (MFA) to reduce the impact of credential compromise. 7. Conduct regular security assessments and penetration testing focusing on HTTP header injection and related vulnerabilities. 8. Monitor logs for unusual password reset requests or anomalies in Host headers to detect potential exploitation attempts early.