How severe is CVE-2025-23001?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2025-23001?

This is classified as CWE-644, which is a common weakness in software security.

CVE-2025-23001 - MEDIUM Severity | CVSS 6.1

Vulnerability Description

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's position is that the end user is supposed to edit the NGINX configuration template to set server_name (with this setting, Host header injection cannot occur).

Related Vulnerabilities

CVE-2021-20784

MEDIUM

CVSS:6.1(Medium)

HTTP header injection vulnerability in Everything version 1.0, 1.1, and 1.2 except the Lite version may allow a remote attacker to inject an arbitrary script or alter the website that uses the product...

CWE-6442021

CVE-2022-45102

MEDIUM

CVSS:6.1(Medium)

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting ...

CWE-6442022

CVE-2023-35894

MEDIUM

CVSS:6.1(Medium)

IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks again...

CWE-6442023

CVE-2024-47549

MEDIUM

CVSS:6.1(Medium)

Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to an a...

CWE-6442024

CVE-2024-10006

MEDIUM

CVSS:5.8(Medium)

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

CWE-6442024

CVE-2022-22399

MEDIUM

CVSS:6.5(Medium)

IBM Aspera Faspex 5.0.0 and 5.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against th...

CWE-6442022