CVE-2025-25198

Published Feb 12, 2025

Last updated 9 months ago

CVSS high 7.1

Overview

Description
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Source
security-advisories@github.com
NVD status
Analyzed
Products
mailcow\

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-601

Social media

Hype score
Not currently trending

  1. Just got my first PoC published on Packet Storm CVE-2025-25198 - Mailcow Host header poisoning. Automated, clean, does the job. Check it out 👇 https://t.co/ZxCBwMf53N https://t.co/xrkCPsMr4h

    @Iam_al_or

    18 Feb 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Just dropped a PoC for CVE-2025-25198 Automated Host header poisoning for Mailcow. spins up HTTPS listener, handles cookies + CSRF, catches the reset link right when it lands. No tab hell. Just the link. GitHub: https://t.co/387gS4ZC3a #CVE #infosec #BugBounty https://t.co/6N

    @Iam_al_or

    12 Feb 2026

    65 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Just dropped a PoC for CVE-2025-25198 Automated Host header poisoning for Mailcow. spins up HTTPS listener, handles cookies + CSRF, catches the reset link right when it lands. No clicking through 40 tabs. just clean output and a direct link. #CVE #infosec #bugbounty #mailcow h

    @Iam_al_or

    11 Feb 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Mailcow has patched a password reset poisoning vulnerability (CVE-2025-25198). Users are advised to update. More details: https://t.co/y4rEnZRcOR #CyberSecurity #Infosec

    @adriananglin

    17 Feb 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Mailcow Patches Password Reset Poisoning Vulnerability (CVE-2025-25198) Learn about CVE-2025-25198 and how it affects mailcow's password reset feature. Stay secure with the latest patch details https://t.co/cHazRAHsPO

    @the_yellow_fall

    17 Feb 2025

    233 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-25198 Host Header Injection Vulnerability in Mailcow Allowing Unauthorized Password Reset https://t.co/zXJbIALaqq

    @VulmonFeeds

    12 Feb 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-25198 mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allo… https://t.co/lsr9KXPz0H

    @CVEnew

    12 Feb 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.CVE-2025-53909
  2. mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.CVE-2024-41958
  3. mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.CVE-2024-41959
  4. mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.CVE-2024-41960
  5. mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.CVE-2024-31204

References

Sources include official advisories and independent security research.