PT-2025-43524 · Unknown+1 · Levlaz Braindump+1

Published

2025-10-23

Updated

2025-10-28

CVE-2025-61132

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions levlaz braindump version 0.4.14

Description A Host Header Injection flaw exists in the password reset functionality of the software. This allows remote attackers to manipulate the Host header during password reset link generation, specifically when Flask's url for( external=True) is used without a defined SERVER NAME. Successful exploitation can lead to password reset poisoning and subsequent account takeover. The vulnerable component is the password reset functionality. The url for() function is used to generate reset links.

Recommendations Versions prior to 0.4.14 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-620

Related Identifiers

CVE-2025-61132

Affected Products

Flask

Levlaz Braindump

PT-2025-43524 · Unknown+1 · Levlaz Braindump+1

CVE-2025-61132

Weakness Enumeration

Related Identifiers

Affected Products

References · 10