CVE-2025-63828 — Open Redirect in Backdrop

CWE-601 — Open Redirect CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 88.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Backdrop Backdropcms Backdrop CMS

Timeline

PublishedNov 18

Description

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistbackdrop/backdrop1.32.0

▶NVDbackdropcms/backdrop_cms1.32.1

🔴Vulnerability Details

CVEList

CVE-2025-63828: Host Header Injection vulnerability in Backdrop CMS 1↗2025-11-18

▶

GHSA

Backdrop CMS Host Header Injection vulnerability↗2025-11-18

▶

OSV

Backdrop CMS Host Header Injection vulnerability↗2025-11-18

▶