Home > Vulnerability Database > CVE-2025-61132

Mend.io Vulnerability Database

CVE-2025-61132

Date: October 22, 2025

A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.

Severity Score

7.1

Related Resources (7)

Url: https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

Url: https://gist.github.com/BrookeYangRui/94c3bee0c2cbc1ed81a21d4448550c21

Url: https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/templates/auth/email/reset_password.html#L1-L8

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-61132

Url: https://github.com/levlaz/braindump/blob/9640dd03f99851dbd34dd6cac98a747a4a591b01/app/auth/views.py#L131-L148

Url: https://drive.google.com/file/d/1FmkctLdOTGMdy6GgLaTzfxemdVDeiA7J/view?usp=sharing

Url: https://www.mend.io/vulnerability-database/CVE-2025-61132

Severity Score

7.1

Weakness Type (CWE)

Unverified Password Change

CWE-620

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-61132

Date: October 22, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?