Mailcow Patches Password Reset Poisoning Vulnerability (CVE-2025-25198)

Popular open-source email server suite, mailcow, has released a patch addressing a serious vulnerability that could allow attackers to hijack user accounts. The flaw, identified as CVE-2025-25198, involves password reset poisoning and carries a CVSS score of 7.1 (High).

Mailcow, known for simplifying the setup and management of self-hosted email infrastructure, relies on components like Postfix, Dovecot, and SOGo, and utilizes Docker for ease of deployment. This recent vulnerability, however, exposed a weakness in its password reset mechanism.

The vulnerability lies in how mailcow handles the Host HTTP header during password reset requests. As the official security advisory explains, “A vulnerability in mailcow’s password reset functionality allows an attacker to manipulate the Host HTTP header to generate a password reset link pointing to an attacker-controlled domain.”

This manipulation allows a malicious actor to craft a password reset link that appears legitimate but actually directs the user to a phishing website. Should the user click this poisoned link, they could inadvertently provide their new password to the attacker, leading to complete account takeover.

Donncha Ó Cearbhaill of Amnesty International’s Security Lab responsibly disclosed the vulnerability.

Mailcow’s development team has responded swiftly, releasing patch 2025-01a to address the issue. Users are urged to apply this update as soon as possible to mitigate the risk of exploitation.

For those unable to update immediately, a temporary workaround is available. The advisory recommends deactivating the password reset functionality altogether. This can be achieved by navigating to System -> Configuration -> Options -> Password Settings within the mailcow interface and clearing both the Notification email sender and Notification email subject fields.

Rate this post

Tags: CVE-2025-25198

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply