CVE-2025-62428 is an open redirect vulnerability classified under CWE-601, found in the Drawing-Captcha-APP, a tool that provides interactive verification for web applications. The root cause is a Host Header Injection vulnerability in the /register and /confirm-email endpoints, where the application trusts the Host header from incoming HTTP requests without proper validation. Attackers can exploit this by sending crafted requests with manipulated Host headers, causing the application to generate email confirmation links that redirect users to attacker-controlled domains. This can facilitate phishing attacks by tricking users into clicking malicious links that appear legitimate, potentially leading to credential theft, session hijacking, or further exploitation. The vulnerability affects all versions prior to 1.2.5-alpha-patch and does not require authentication or user interaction to exploit, increasing its risk profile. The CVSS 4.0 base score of 8.8 reflects the vulnerability's ease of exploitation (network vector, low attack complexity), no privileges or user interaction required, and high impact on confidentiality and integrity due to potential redirection to malicious sites. Although no exploits are currently known in the wild, the vulnerability's presence in a widely used verification component makes it a significant threat. The fix involves updating to version 1.2.5-alpha-patch where proper validation of the Host header is implemented to prevent injection and open redirect issues.

For European organizations, this vulnerability poses a significant risk primarily through phishing and social engineering attacks leveraging malicious email confirmation links. Attackers can redirect users to fraudulent websites that mimic legitimate services, increasing the likelihood of credential compromise or malware infection. This can lead to unauthorized access to sensitive systems, data breaches, and reputational damage. Organizations relying on Drawing-Captcha-APP for user verification are particularly vulnerable, as the attack vector targets the account registration and email confirmation process—a critical security control. The lack of required authentication or user interaction for exploitation broadens the attack surface, potentially affecting a large user base. Additionally, sectors with high regulatory scrutiny in Europe, such as finance, healthcare, and government, may face compliance risks if user data is compromised due to this vulnerability. The potential for widespread phishing campaigns exploiting this flaw could also impact end users and partners, amplifying the overall damage.

European organizations should immediately upgrade Drawing-Captcha-APP to version 1.2.5-alpha-patch, which contains the fix for this vulnerability. Beyond patching, organizations should implement strict validation of Host headers on all endpoints to ensure they match expected domain values, rejecting or sanitizing any suspicious inputs. Email confirmation links should be generated using server-side trusted values rather than relying on client-supplied headers. Employing web application firewalls (WAFs) with rules to detect and block Host header manipulation attempts can provide an additional layer of defense. Security teams should audit email templates and confirmation workflows to verify no other injection points exist. User awareness training focused on recognizing phishing attempts involving email confirmation links can reduce the risk of successful exploitation. Monitoring for anomalous registration or confirmation activities and implementing rate limiting can help detect and mitigate automated exploitation attempts. Finally, organizations should review their incident response plans to address potential phishing or credential compromise incidents stemming from this vulnerability.