CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

Severity:: Medium

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.21.2

References

GHSA-r385-c5fc-x56c
CVE-2024-57177
CWE-1336
CWE-74
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - @strapi/plugin-email - CVE-2023-22621
@perfood/couch-auth has a host header injection vulnerability - CVE-2025-70948
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
Server-Side Template Injection in formio - CVE-2020-28246

Exploiting Server Version Disclosure

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; @perfood/couch-auth

Anything's wrong? Let us know Last updated on December 18, 2025