CVE-2024-57177

MEDIUM4.3EPSS 0.14%

CouchAuth has a Server-Side Template Injection vulnerability in its email functionality

Published: 2/10/2025Modified: 12/18/2025

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information.

Affected packages (1)

npm/@perfood/couch-authfrom 0, <= 0.21.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-57177
PATCHhttps://github.com/perfood/couch-auth
WEBhttps://github.com/waristea/cve-research/tree/main/CVE-2024-57177