CVE-2024-25625 – This CVE describes a Host Header Injection vuln... (How to Fix)

Q: What is the severity of CVE-2024-25625?

CVE-2024-25625 has a CVSS score of 8.1 (HIGH). This CVE describes a Host Header Injection vulnerability in Pimcore's Admin Classic Bundle that allows attackers to manipulate invitation email links. By sending crafted HTTP requests with malicious host headers to the /admin/user/invitationlink endpoint, attackers can make invitation emails point to their own domains, enabling phishing attacks. All Pimcore installations using affected versions of the admin-ui-classic-bundle are vulnerable.

📋 TL;DR

This CVE describes a Host Header Injection vulnerability in Pimcore's Admin Classic Bundle that allows attackers to manipulate invitation email links. By sending crafted HTTP requests with malicious host headers to the /admin/user/invitationlink endpoint, attackers can make invitation emails point to their own domains, enabling phishing attacks. All Pimcore installations using affected versions of the admin-ui-classic-bundle are vulnerable.

💻 Affected Systems

Products:

pimcore/admin-ui-classic-bundle

Versions: All versions prior to 1.3.4

Operating Systems: All operating systems running Pimcore

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Pimcore installations using the Admin Classic Bundle. The vulnerability is present in default configurations.

📦 What is this software?

Admin Classic Bundle by Pimcore

View all CVEs affecting Admin Classic Bundle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful phishing campaigns leading to credential theft, account compromise, and potential lateral movement within the Pimcore environment.

🟠

Likely Case

Phishing attacks targeting Pimcore administrators or users, potentially leading to credential harvesting and unauthorized access.

🟢

If Mitigated

Minimal impact with proper host header validation and email link verification procedures in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically exposed to the internet in Pimcore deployments, making it accessible to external attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this vulnerability for phishing campaigns within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the invitation link endpoint, which typically requires authentication. The attack technique is well-known and simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4

Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx

Restart Required: No

Instructions:

1. Update pimcore/admin-ui-classic-bundle to version 1.3.4 or later using composer: composer update pimcore/admin-ui-classic-bundle. 2. Clear the application cache if necessary. 3. Verify the update was successful by checking the bundle version.

🔧 Temporary Workarounds

Host Header Validation via Web Server

all

Configure web server to validate or override host headers before they reach the application

# Apache: Set ServerName directive
# Nginx: Use $host variable with validation
# Configure trusted hosts in web server configuration

Disable Invitation Link Endpoint

all

Temporarily disable the vulnerable /admin/user/invitationlink endpoint

# Add rewrite rule to block access to the endpoint
# Example Apache: RewriteRule ^/admin/user/invitationlink - [F]
# Example Nginx: location ~ ^/admin/user/invitationlink { return 403; }

🧯 If You Can't Patch

Implement strict host header validation at the application level or web server level
Monitor and alert on suspicious host header values in HTTP requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check the installed version of pimcore/admin-ui-classic-bundle. If version is less than 1.3.4, the system is vulnerable.

Check Version:

composer show pimcore/admin-ui-classic-bundle | grep versions

Verify Fix Applied:

Verify that pimcore/admin-ui-classic-bundle version is 1.3.4 or higher and test that host header manipulation no longer affects invitation links.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /admin/user/invitationlink with unusual host headers
Multiple failed login attempts following invitation email sends
Unusual host header values in application logs

Network Indicators:

HTTP POST requests to /admin/user/invitationlink with manipulated Host headers
Outbound emails with suspicious domain links

SIEM Query:

source="web_logs" AND (uri_path="/admin/user/invitationlink" AND NOT host_header IN ["trusted-domain1", "trusted-domain2"])

📊 Metadata

CVE ID: CVE-2024-25625

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-74

Published: February 19, 2024

Last Updated: April 1, 2025

🔗 References

https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82 Patch
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx Exploit,Mitigation,Vendor Advisory
https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82 Patch
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25625, you might also want to check these: