CVE-2025-63828 – A Host Header Injection vulnerability in Backdr... (How to Fix)

Q: What is the severity of CVE-2025-63828?

CVE-2025-63828 has a CVSS score of 6.1 (MEDIUM). A Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests. This can redirect users to malicious domains and potentially enable session hijacking through cookie injection. All Backdrop CMS 1.32.1 installations are affected.

📋 TL;DR

A Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests. This can redirect users to malicious domains and potentially enable session hijacking through cookie injection. All Backdrop CMS 1.32.1 installations are affected.

💻 Affected Systems

Products:

Backdrop CMS

Versions: 1.32.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of Backdrop CMS 1.32.1 are vulnerable. The vulnerability is in the password reset functionality.

📦 What is this software?

Backdrop Cms by Backdropcms

View all CVEs affecting Backdrop Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers redirect users to malicious sites during password reset, steal session cookies, and gain unauthorized access to user accounts, potentially leading to account takeover and data theft.

🟠

Likely Case

Attackers redirect users to phishing sites during password reset flows, capturing credentials and potentially hijacking sessions if cookies are exposed.

🟢

If Mitigated

With proper input validation and secure headers, the impact is limited to failed redirect attempts with no data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is available. Apply workarounds or upgrade to a future patched version when released.

🔧 Temporary Workarounds

Web Server Host Header Validation

all

Configure your web server (Apache/Nginx) to validate and restrict Host headers to prevent injection.

# Apache: Set UseCanonicalName On in httpd.conf
# Nginx: Set server_name directive with valid domains

Application-Level Input Sanitization

all

Modify Backdrop CMS code to sanitize and validate Host header values in password reset functionality.

# Edit backdrop/modules/user/user.module to add Host header validation

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with rules to block malicious Host header manipulation.
Disable password reset functionality temporarily if not critical, or implement rate limiting on reset requests.

🔍 How to Verify

Check if Vulnerable:

Test by sending a password reset request with a manipulated Host header (e.g., using curl with -H 'Host: malicious.com') and check if redirects occur.

Check Version:

Check Backdrop CMS version via admin interface or inspect core files for version info.

Verify Fix Applied:

After applying workarounds, retest with manipulated Host headers; no redirects or injection should occur.

📡 Detection & Monitoring

Log Indicators:

Unusual Host header values in access logs (e.g., non-standard domains)
Multiple failed password reset attempts from same IP

Network Indicators:

HTTP requests with manipulated Host headers to password reset endpoints
Redirects to external domains during reset flows

SIEM Query:

source="web_logs" AND (url="*/user/password" OR url="*/user/reset") AND (host_header!="expected_domain" OR host_header="*malicious*")

📊 Metadata

CVE ID: CVE-2025-63828

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

EPSS Score: 0.04% exploit probability (11.3th percentile)

Published: November 18, 2025

Last Updated: November 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63828, you might also want to check these: