CVE-2025-25198
📋 TL;DR
This vulnerability in mailcow: dockerized allows attackers to manipulate the Host HTTP header during password reset requests, generating malicious reset links that point to attacker-controlled domains. If users click these poisoned links, attackers can potentially take over their accounts. All mailcow installations prior to version 2025-01a are affected.
💻 Affected Systems
- mailcow: dockerized
📦 What is this software?
Mailcow\ by Mailcow
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any mailcow user, potentially leading to unauthorized email access, data theft, and further lateral movement within the organization.
Likely Case
Targeted account takeover of specific users through social engineering, leading to email compromise and potential credential harvesting.
If Mitigated
No impact if password reset functionality is disabled or proper patching is applied.
🎯 Exploit Status
Exploitation requires sending a password reset request with a manipulated Host header and convincing a user to click the malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025-01a
Vendor Advisory: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3mvx-qw4r-fcqf
Restart Required: Yes
Instructions:
1. Update mailcow to version 2025-01a or later. 2. Run the update script: `./update.sh --check` then `./update.sh`. 3. Restart all mailcow services.
🔧 Temporary Workarounds
Disable Password Reset Functionality
allClear notification email settings to disable password reset functionality entirely.
Navigate to System -> Configuration -> Options -> Password Settings
Clear 'Notification email sender' and 'Notification email subject' fields
Save changes
🧯 If You Can't Patch
- Implement web application firewall rules to block or sanitize Host header manipulation
- Monitor for suspicious password reset requests and educate users about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check mailcow version in admin interface or run: docker exec -it $(docker ps -qf name=mailcow-mailcow) cat /mailcow-versionCheck Version:
docker exec -it $(docker ps -qf name=mailcow-mailcow) cat /mailcow-versionVerify Fix Applied:
Confirm version is 2025-01a or later and test password reset functionality with manipulated Host headers.📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in password reset requests
- Multiple password reset requests from single IP
Network Indicators:
- HTTP requests with manipulated Host headers to password reset endpoint
SIEM Query:
source="mailcow" AND (url="/password-reset" OR url="/reset-password") AND host_header!="expected-domain.com"