SB2025123101 - Host header injection in Webmin

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Neutralization of HTTP Headers for Scripting Syntax (CVE-ID: CVE-2025-61541)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation when processing HTTP requests in the password reset functionality (forgot_send.cgi). A remote non-authenticated attacker can send a specially crafted HTTP request with an arbitrary Host header via get_webmin_email_url() that will be accepted by the application.

Successful exploitation of the vulnerability may allow an attacker to inject a malicious domain into the reset email and trick the victim into clicking on the reset link, intercept the reset token and gain full control of the target account.

Remediation

Install update from vendor's website.

References

• https://github.com/bugdotexe/Vulnerability-Research/tree/main/CVE-2025-61541
• https://github.com/webmin/webmin/commit/61b2603e061ad957845d9880e28c2465be98c240