copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action

Severity:: Low

Description

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.7.0

References

GHSA-3vr4-cvmg-7fx4
vuldb.com
CVE-2026-6874
CWE-350
CAPEC-310
OWASP 2021-A6

Related Issues

Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment - CVE-2026-41900
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522

CSRF, XXE, and 12 Other Security Acronyms Explained

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; copilot-api

Anything's wrong? Let us know Last updated on April 30, 2026