CVE-2025-27913 – This vulnerability allows attackers to manipula... (How to Fix)

Q: What is the severity of CVE-2025-27913?

CVE-2025-27913 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to manipulate email messages sent by Passbolt API by injecting malicious domain names via HTTP Host headers. It affects Passbolt API servers that were misconfigured during installation and ignored Health Check warnings. The vulnerability enables email spoofing and potential phishing attacks.

📋 TL;DR

This vulnerability allows attackers to manipulate email messages sent by Passbolt API by injecting malicious domain names via HTTP Host headers. It affects Passbolt API servers that were misconfigured during installation and ignored Health Check warnings. The vulnerability enables email spoofing and potential phishing attacks.

💻 Affected Systems

Products:

Passbolt API

Versions: All versions before 5

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when server is misconfigured with incorrect installation process and Health Check warnings are ignored.

📦 What is this software?

Passbolt Api by Passbolt

View all CVEs affecting Passbolt Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could send convincing phishing emails appearing to originate from legitimate Passbolt domains, leading to credential theft, account compromise, or malware distribution.

🟠

Likely Case

Email spoofing enabling targeted phishing campaigns against Passbolt users, potentially compromising individual accounts.

🟢

If Mitigated

No impact if proper installation procedures were followed and Health Check warnings were addressed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to control HTTP Host header and target misconfigured Passbolt installations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5 and later

Vendor Advisory: https://www.passbolt.com/incidents/host-header-injection

Restart Required: No

Instructions:

1. Upgrade Passbolt API to version 5 or later. 2. Verify installation follows official documentation. 3. Run Health Check and address any warnings.

🔧 Temporary Workarounds

Configure web server to validate Host headers

all

Configure your web server (Apache/Nginx) to validate and restrict acceptable Host headers

Implement reverse proxy with Host header validation

all

Place Passbolt behind a reverse proxy that validates and sanitizes Host headers

🧯 If You Can't Patch

Ensure proper installation following official Passbolt documentation
Run Health Check tool and address all warnings immediately

🔍 How to Verify

Check if Vulnerable:

Check if Passbolt API version is below 5 AND Health Check shows warnings about Host header configuration

Check Version:

Check Passbolt configuration file or admin interface for version information

Verify Fix Applied:

Verify Passbolt API version is 5 or higher AND Health Check shows no warnings about Host header configuration

📡 Detection & Monitoring

Log Indicators:

Unusual Host header values in web server logs
Multiple failed email delivery attempts with suspicious domains

Network Indicators:

HTTP requests with manipulated Host headers to Passbolt API endpoints

SIEM Query:

source="web_server_logs" AND (Host:*malicious* OR Host:*suspicious*) AND uri="/passbolt/*"

📊 Metadata

CVE ID: CVE-2025-27913

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-348

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: March 10, 2025

Last Updated: June 19, 2025

🔗 References

https://www.passbolt.com/incidents/host-header-injection Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27913, you might also want to check these: