QwikSec

Security Database

CVE

CWE

Training

CVE-2025-53373

Published: Jul 7, 2025

Modified: Jul 7, 2025

PUBLISHED

Description

Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b.

Vendor	Product	Versions
ahmed-elgaml11	Natours	affected `< 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b`

Weaknesses (CWE)

References

https://github.com/ahmed-elgaml11/Natours/security/advisories/GHSA-8gmw-7p75-58qv

x_refsource_CONFIRM

https://github.com/ahmed-elgaml11/Natours/commit/7401793a8d9ed0f0c250c4e0ee2815d685d7a70b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.