Description
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.26.0
References
Related Issues
- @perfood/couch-auth has an Observable Timing Discrepancy - CVE-2025-70949
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on March 06, 2026