CVE-2025-70948
- EPSS 0.03%
- Veröffentlicht 05.03.2026 00:00:00
- Zuletzt bearbeitet 06.03.2026 11:16:08
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
CVE-2025-70949
- EPSS 0.03%
- Veröffentlicht 05.03.2026 00:00:00
- Zuletzt bearbeitet 06.03.2026 11:16:08
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
CVE-2025-60794
- EPSS 0.02%
- Veröffentlicht 20.11.2025 00:00:00
- Zuletzt bearbeitet 12.12.2025 15:34:10
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, d...
CVE-2024-57177
- EPSS 0.13%
- Veröffentlicht 10.02.2025 20:15:41
- Zuletzt bearbeitet 17.12.2025 16:16:04
A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limit...
CVE-2023-39655
- EPSS 0.1%
- Veröffentlicht 03.01.2024 13:15:08
- Zuletzt bearbeitet 18.06.2025 16:15:21
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicke...