CVE-2025-61536

Name of the Vulnerable Software and Affected Versions FelixRiddle dev-jobs-handlebars version 1.0

Description The software uses absolute password-reset links that rely on the untrusted req.headers.host header and enforces the http:// scheme. This allows an attacker who can control the Host header, or exploit a misconfigured proxy or load balancer, to manipulate the reset links to point to attacker-controlled domains or be delivered via insecure HTTP. This can lead to token theft, phishing, and account takeover. The vulnerable parameter is req.headers.host.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.