CVE-2025-63828 is a Host Header Injection vulnerability identified in Backdrop CMS version 1.32.1. The flaw arises because the application does not properly validate or sanitize the Host header in HTTP requests during password reset operations. Attackers can exploit this by crafting malicious requests with manipulated Host headers, causing the system to generate password reset links that redirect users to attacker-controlled domains. This can lead to session hijacking via cookie injection if users follow these malicious links, as cookies may be set or stolen in the context of the attacker’s domain. The vulnerability is classified under CWE-601 (Open Redirect), highlighting the risk of redirecting users to untrusted locations. The CVSS 3.1 base score is 6.1, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the potential for phishing and session hijacking attacks is significant. The vulnerability impacts confidentiality by risking unauthorized access to user sessions and integrity by allowing attackers to manipulate application behavior. Availability is not affected. The lack of an official patch at the time of reporting necessitates immediate mitigation through configuration and monitoring.

For European organizations using Backdrop CMS 1.32.1, this vulnerability poses a risk of user session compromise and phishing attacks via malicious redirects. Attackers could hijack user sessions by injecting cookies, potentially gaining unauthorized access to sensitive user accounts or administrative functions. This could lead to data breaches, unauthorized changes, or further exploitation within the organization’s web infrastructure. The impact is particularly critical for organizations with large user bases or those handling sensitive personal or financial data. Public-facing password reset functionalities increase exposure. Additionally, reputational damage and regulatory consequences under GDPR could arise if user data is compromised. The medium severity score reflects that while exploitation requires user interaction, the ease of remote exploitation and the potential for chained attacks elevate the risk. Organizations relying on Backdrop CMS for their websites or intranet portals should consider this a significant threat to their web security posture.

1. Immediately implement strict validation and sanitization of the Host header in all HTTP requests, especially those involved in password reset workflows. 2. Configure the application or web server to enforce a whitelist of allowed Host headers to prevent arbitrary host values. 3. Implement strict redirect policies that only allow redirects to trusted domains or relative paths. 4. Monitor web server and application logs for unusual Host header values or redirect patterns indicative of exploitation attempts. 5. Educate users to be cautious of password reset emails and verify URLs before clicking. 6. Deploy Web Application Firewalls (WAFs) with rules to detect and block Host header injection attempts. 7. Once available, promptly apply official patches or updates from Backdrop CMS addressing this vulnerability. 8. Conduct security testing and code reviews focusing on header validation and redirect handling. 9. Consider multi-factor authentication to reduce the impact of session hijacking. 10. Isolate critical systems and limit exposure of password reset endpoints where feasible.