CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

Severity:: Medium

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.21.2

References

GHSA-r385-c5fc-x56c
CVE-2024-57177
CWE-1336
CWE-74
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability - CVE-2024-32964
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
@lobehub/chat Server Side Request Forgery vulnerability - CVE-2024-32965

Tags:: npm; @perfood/couch-auth

Anything's wrong? Let us know Last updated on December 18, 2025