@perfood Couch-Auth Host Header Injection Vulnerability Allowing Account Takeover

Vulnerability

A host header injection vulnerability has been identified in the mailer component of @perfood/couch-auth, specifically in version 0.26.0. This vulnerability allows attackers to spoof the HTTP Host header, enabling them to obtain password reset tokens or email confirmation links. Such actions could lead to unauthorized account access.

Impact

Exploitation of this vulnerability could result in unauthorized account access through account takeover.

Added: Mar 5, 2026, 9:25 PM

Updated: Mar 5, 2026, 9:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.3

remediation

0.0

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.3

remediation

0.0

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

@perfood Couch-Auth Host Header Injection Vulnerability Allowing Account Takeover

Vulnerability

Impact

Affected Products

@perfood/couch-auth

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating