Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

Severity:: High

Description

ApostropheCMS’s password reset flow constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured.

Recommendation

No fix is available yet. Followings are affected versions:

<= 4.29.0

References

GHSA-gf43-24g3-5hw2
CVE-2026-45013
CWE-20
CWE-640
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6
OWASP 2021-A7

Related Issues

bson-objectid contains Improper input validation - CVE-2019-19729
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
Improper Input Validation in Deap - CVE-2018-3749

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; apostrophe

Anything's wrong? Let us know Last updated on May 19, 2026