CVE-2025-62428 HIGH

CVE-2025-62428: Drawing-Captcha APP Host Header Injection in `/register` and `/confirm-email` Endpoints

Vendor Drawing-Captcha
Product Drawing-Captcha-APP
Weakness CWE-601 · Open redirect
Published October 16, 2025
Last update October 17, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.

Key dates

02Disclosure timeline

October 16, 2025 CVE published
October 17, 2025 Record updated