CVE-2024-57177

Name of the Vulnerable Software and Affected Versions perfood/couch-auth versions <= 0.21.2

Description A host header injection vulnerability exists in the NPM package of perfood/couch-auth. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a Server-Side Template Injection (SSTI) which can be leveraged to run limited commands or leak server-side information.

Recommendations For perfood/couch-auth versions <= 0.21.2, consider disabling the email change confirmation feature until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the host header in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.