{"id":"CVE-2025-62428","summary":"Drawing-Captcha APP Host Header Injection in `/register` and `/confirm-email` Endpoints","details":"Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.","aliases":["GHSA-5pj8-fc6g-vv7m"],"modified":"2026-04-02T12:57:54.350481Z","published":"2025-10-16T18:57:14.114Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62428.json","cwe_ids":["CWE-601"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62428.json"},{"type":"ADVISORY","url":"https://github.com/Drawing-Captcha/Drawing-Captcha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62428"},{"type":"REPORT","url":"https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drawing-captcha/drawing-captcha-app","events":[{"introduced":"0"},{"fixed":"5dd435c489456ff52003a4c2eca836af09ae9dfe"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.5-alpha-patch"}]}}],"versions":["published","v1.1.0-alpha","v1.2.0-alpha","v1.2.1-alpha-patch","v1.2.2-alpha-patch","v1.2.3-alpha-patch","v1.2.4-alpha-patch"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62428.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}