Login Sign Up

CVE-2025-13434

5.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

CVE-2025-13434 is a vulnerability in jameschz Hush Framework 2.0 where improper neutralization of the HTTP Host header allows remote attackers to inject malicious scripting syntax. This affects any system running Hush Framework 2.0 with the vulnerable HTTP Host Header Handler component. The vulnerability is remotely exploitable and a public exploit exists.

💻 Affected Systems

Products:
  • jameschz Hush Framework
Versions: 2.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using the vulnerable HTTP Host Header Handler component in Hush\hush-lib\hush\Util.php

📦 What is this software?

Hush by Jameschz

View all CVEs affecting Hush →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete system compromise through successful script injection leading to data theft, system takeover, or lateral movement.

🟠

Likely Case

Cross-site scripting (XSS) attacks leading to session hijacking, credential theft, or client-side attacks against users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially reduced to minor information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider workarounds or migrating to alternative frameworks.

🔧 Temporary Workarounds

Input Validation for Host Header

all

Implement strict validation of the HTTP Host header to only allow expected domain names

// PHP code example: if(!preg_match('/^[a-zA-Z0-9.-]+$/', $_SERVER['HOST'])) { die('Invalid host'); }

Web Server Host Header Enforcement

all

Configure web server to validate or override Host headers

# Apache: SetEnvIf Host "^.*$" valid_host=1
# Nginx: if ($host !~* ^(valid\.domain\.com)$) { return 444; }

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block malicious Host header patterns
  • Isolate affected systems in network segments with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Check if Hush Framework 2.0 is installed and review Util.php for improper $_SERVER['HOST'] usage

Check Version:

Check composer.json or framework configuration files for version information

Verify Fix Applied:

Test with malicious Host header payloads to ensure proper neutralization

📡 Detection & Monitoring

Log Indicators:

  • Unusual or malformed Host header values in web server logs
  • Multiple failed requests with varying Host headers

Network Indicators:

  • HTTP requests with suspicious Host header patterns
  • Traffic to unexpected domains from affected systems

SIEM Query:

source="web_server" AND (Host="*<script>*" OR Host="*javascript:*" OR Host="*data:*")

📊 Metadata

CVE ID: CVE-2025-13434
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-644
EPSS Score: 0.16% exploit probability (36.9th percentile)
Published: November 20, 2025
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13434, you might also want to check these:

CVE-2023-47143 10.0

IBM Tivoli Application Dependency Discovery Manager versions 7.3.0.0 through 7.3.0.10 are vulnerable...

Same vulnerability type (CWE-644)
CVE-2023-32465 8.8

CVE-2023-32465 is an authentication bypass vulnerability in Dell PowerProtect Cyber Recovery that al...

Same vulnerability type (CWE-644)
CVE-2026-26234 8.8

JUNG Smart Visu Server 1.1.1050 has a request header manipulation vulnerability where unauthenticate...

Same vulnerability type (CWE-644)