Password Reset Mailer

Host Header Injection

The reset mailer builds the link from the inbound `Host` header without an allow-list, so an attacker can poison the request via a CDN or proxy and steer the reset link to their domain.

CWE-644CWE-201
Back to hub Reload scenario
Host injection probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Reset link is built using `Host` or `X-Forwarded-Host` from the request.
  • No allow-list of accepted hosts.
  • Same flaw on email verification, invite, and magic-link flows.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
link := "https://" + r.Host + "/reset?token=" + token

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.