CVE-2023-39655 – This host header injection vulnerability in @pe... (How to Fix)

Q: What is the severity of CVE-2023-39655?

CVE-2023-39655 has a CVSS score of 9.6 (CRITICAL). This host header injection vulnerability in @perfood/couch-auth allows attackers to send password reset links that redirect to attacker-controlled servers, leaking reset tokens. Attackers can then reset users' passwords and take over accounts. Anyone using affected versions of this NPM package is vulnerable.

📋 TL;DR

This host header injection vulnerability in @perfood/couch-auth allows attackers to send password reset links that redirect to attacker-controlled servers, leaking reset tokens. Attackers can then reset users' passwords and take over accounts. Anyone using affected versions of this NPM package is vulnerable.

💻 Affected Systems

Products:

@perfood/couch-auth

Versions: <= 0.20.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable forgot password functionality is affected regardless of configuration.

📦 What is this software?

Couchauth by Perfood

View all CVEs affecting Couchauth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all users, leading to data breaches, privilege escalation, and potential lateral movement within systems.

🟠

Likely Case

Targeted account takeover of specific users, potentially compromising sensitive data and application functionality.

🟢

If Mitigated

Limited impact if proper input validation and host header verification are implemented, though risk remains until patched.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted host header to the forgot password endpoint, which is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 0.20.0

Vendor Advisory: https://www.npmjs.com/package/%40perfood/couch-auth

Restart Required: Yes

Instructions:

1. Update package.json to specify @perfood/couch-auth version > 0.20.0. 2. Run 'npm update @perfood/couch-auth'. 3. Restart your application server.

🔧 Temporary Workarounds

Host Header Validation

all

Implement middleware to validate and sanitize host headers before processing requests.

Disable Password Reset

all

Temporarily disable the forgot password functionality if not critical.

🧯 If You Can't Patch

Implement strict host header validation at the web server or application firewall level.
Monitor for suspicious password reset requests and implement rate limiting on the forgot password endpoint.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list @perfood/couch-auth' to see if version <= 0.20.0 is installed.

Check Version:

npm list @perfood/couch-auth

Verify Fix Applied:

After updating, verify the installed version is > 0.20.0 using 'npm list @perfood/couch-auth'.

📡 Detection & Monitoring

Log Indicators:

Unusual host headers in forgot password requests
Multiple password reset requests from single IPs

Network Indicators:

HTTP requests with manipulated host headers to password reset endpoints

SIEM Query:

source="web_logs" AND (uri_path="/forgot-password" OR uri_path="/reset-password") AND host_header!="expected-domain.com"

📊 Metadata

CVE ID: CVE-2023-39655

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-74

Published: January 3, 2024

Last Updated: June 18, 2025

🔗 References

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-39655 Third Party Advisory
https://www.npmjs.com/package/%40perfood/couch-auth Product
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-39655 Third Party Advisory
https://www.npmjs.com/package/%40perfood/couch-auth Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39655, you might also want to check these: