Cybersecurity Vulnerabilities

CVE-2025-62406: Critical Password Reset Vulnerability in Piwigo Exploits Host Header Injection

November 19, 2025 - By 

Overview

CVE-2025-62406 details a high-severity vulnerability discovered in Piwigo, a popular open-source photo gallery application. Specifically, version 15.6.0 is susceptible to a Host header injection vulnerability in its password reset functionality. This flaw allows attackers to potentially compromise user accounts by crafting malicious password reset URLs.

Technical Details

The vulnerability resides within Piwigo’s password reset process. When a user requests a password reset, Piwigo sends an email containing a link to reset their password. The critical flaw is that the hostname used to construct this reset URL is directly derived from the HTTP request’s Host header. This header is supplied by the client (the user’s browser) and is intended to indicate which hostname the browser is attempting to access. Piwigo version 15.6.0 fails to properly validate or sanitize this Host header.

An attacker can exploit this by initiating a password reset request for a known (or guessed) username or email address. By manipulating the Host header in their request to point to a malicious server they control, the attacker can inject their own hostname into the password reset URL. When the legitimate user receives the email and clicks the link, they are redirected to the attacker’s server. This server can then harvest the password reset token or impersonate the legitimate Piwigo site to phish for credentials.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 8.1, indicating a HIGH severity. This score reflects the potential for significant impact and ease of exploitation.

  • CVSS Score: 8.1
  • Severity: HIGH

Possible Impact

The successful exploitation of CVE-2025-62406 can have severe consequences:

  • Account Takeover: Attackers can gain complete control of user accounts.
  • Data Breach: Compromised accounts can be used to access and potentially exfiltrate sensitive data, including uploaded photos and user information.
  • Reputational Damage: A successful attack can severely damage the reputation of websites and organizations using Piwigo.
  • Further Attacks: Compromised accounts can be leveraged to spread malware or launch further attacks against other users or the server itself.

Mitigation and Patch Steps

The vulnerability has been addressed in Piwigo version 15.7.0. It is strongly recommended that all Piwigo users running version 15.6.0 or earlier upgrade to version 15.7.0 immediately.

Upgrade Instructions:

  1. Back up your Piwigo database and files before upgrading.
  2. Follow the official Piwigo upgrade instructions available on the Piwigo website.

If upgrading is not immediately possible, as a temporary workaround, consider implementing a web server configuration (e.g., using Apache or Nginx) to strictly validate the Host header or rewrite the reset password link to use the correct hostname.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *