CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

Severity:: Medium

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.21.2

References

GHSA-r385-c5fc-x56c
CVE-2024-57177
CWE-1336
CWE-74
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

systeminformation has a Command Injection vulnerability in fsSize() function on Windows - CVE-2025-68154
@perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) - CVE-2023-50728

Tags:: npm; @perfood/couch-auth

Anything's wrong? Let us know Last updated on December 18, 2025