CVE-2025-62428 is an open redirect vulnerability classified under CWE-601 found in Drawing-Captcha-APP, a tool providing interactive verification for web applications. The flaw is due to Host Header Injection in the /register and /confirm-email endpoints, where the application improperly trusts the Host header from HTTP requests when generating email confirmation links. Attackers can exploit this by sending crafted requests with manipulated Host headers, causing the application to generate confirmation URLs that redirect users to malicious domains controlled by the attacker. This can facilitate phishing attacks, credential harvesting, or redirect users to malware-hosting sites. The vulnerability affects all versions prior to 1.2.5-alpha-patch and does not require authentication or user interaction, making it trivially exploitable remotely. The CVSS 4.0 score of 8.8 reflects high impact on confidentiality and integrity due to potential user credential compromise and trust exploitation. No known exploits are currently reported in the wild, but the vulnerability's nature and ease of exploitation make it a critical risk for any organization relying on Drawing-Captcha-APP for user verification. The fix involves proper validation or sanitization of the Host header and updating to the patched version.

For European organizations, this vulnerability poses a significant risk to user account security and trust in web-based services. Attackers can exploit the open redirect to craft convincing phishing emails with malicious confirmation links, potentially leading to credential theft, unauthorized account access, or further malware infection. This can result in data breaches, reputational damage, and regulatory non-compliance under GDPR if personal data is compromised. Organizations relying on Drawing-Captcha-APP for user registration or email verification workflows are directly impacted. The vulnerability could also be leveraged in broader social engineering campaigns targeting European users. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. The impact extends to service availability indirectly if compromised accounts are used for fraudulent activities or spam distribution.

1. Immediately upgrade Drawing-Captcha-APP to version 1.2.5-alpha-patch or later, which contains the fix for this vulnerability. 2. Implement strict validation and sanitization of the Host header on the server side to ensure it matches expected domain values before generating URLs. 3. Use absolute URLs with hardcoded trusted domains in email confirmation links rather than relying on dynamic Host headers. 4. Employ multi-factor authentication (MFA) to reduce the impact of credential theft. 5. Monitor email confirmation workflows for unusual redirect patterns or user reports of suspicious links. 6. Educate users to verify URLs in confirmation emails and report suspicious redirects. 7. Conduct regular security audits and penetration testing focusing on header injection and open redirect vulnerabilities. 8. Implement Content Security Policy (CSP) and email security standards like DMARC, DKIM, and SPF to reduce phishing success.