CVE-2025-23001

Published: Jan 31, 2025

Modified: Feb 21, 2025

PUBLISHED

Description

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier's position is that the end user is supposed to edit the NGINX configuration template to set server_name (with this setting, Host header injection cannot occur).

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/CTFd/CTFd

https://codetoanbug.com/poc-cve-2025-23001-ctfd-english/

https://blog.ctfd.io/ctfd-3-7-6/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-23001

Description

Affected Products

References