CVE-2025-70948 is a host header injection vulnerability identified in the mailer component of the @perfood/couch-auth package, specifically version 0.26.0. The vulnerability arises because the mailer functionality relies on the HTTP Host header without proper validation or sanitization. An attacker can craft HTTP requests with a spoofed Host header to manipulate the generation or delivery of password reset tokens. By doing so, the attacker can intercept or obtain these tokens, which are intended to be secret and used to reset user passwords securely. With access to these tokens, the attacker can perform account takeover attacks, gaining unauthorized access to user accounts. This vulnerability affects the confidentiality of reset tokens and the integrity of user accounts. Exploitation does not require user interaction but does require the attacker to send specially crafted requests to the vulnerable service. No CVSS score has been assigned yet, and no patches or fixes have been published at the time of disclosure. The vulnerability is classified as a security weakness in input validation and trust boundary enforcement within the authentication system. The lack of known exploits in the wild suggests it is newly discovered, but the potential impact is significant due to the sensitive nature of password reset mechanisms.

The primary impact of CVE-2025-70948 is the compromise of user account security through unauthorized access. Attackers exploiting this vulnerability can obtain password reset tokens, which are critical for regaining access to accounts. This leads to a breach of confidentiality, as sensitive tokens are exposed, and a breach of integrity, as attackers can change account credentials and assume user identities. Organizations using the vulnerable @perfood/couch-auth package in their authentication workflows risk widespread account takeovers, potentially leading to data breaches, unauthorized transactions, and reputational damage. The vulnerability could also facilitate lateral movement within compromised environments if attackers gain access to privileged accounts. Since the flaw involves HTTP header manipulation, it can be exploited remotely without requiring user interaction, increasing the attack surface. The absence of patches means organizations remain exposed until mitigations or updates are applied. This vulnerability could affect web applications, SaaS platforms, and any service relying on this authentication component, impacting industries such as finance, healthcare, e-commerce, and technology.

To mitigate CVE-2025-70948, organizations should immediately implement strict validation and sanitization of the HTTP Host header within their applications, ensuring that only expected and authorized hostnames are accepted. Employing a whitelist approach for allowed Host headers can prevent malicious spoofing. Additionally, developers should avoid relying solely on the Host header for security-sensitive operations like token generation or email link construction. Implementing additional verification steps, such as binding reset tokens to user-specific data or using cryptographically signed tokens, can reduce the risk of token interception. Monitoring and logging suspicious HTTP requests with unusual Host headers can help detect exploitation attempts. Until an official patch is released, consider isolating or disabling the vulnerable mailer component if feasible. Organizations should also keep their dependencies up to date and subscribe to security advisories for @perfood/couch-auth to apply patches promptly once available. Conducting security reviews and penetration testing focused on header injection vulnerabilities is recommended to identify similar issues.