CVE-2025-63828: Backdrop CMS Host Header Injection vulnerability

November 18, 2025 (updated November 19, 2025)

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

References

github.com/advisories/GHSA-ffpg-gm3h-4p5p
github.com/backdrop/backdrop
github.com/mertdurum06/BackdropCms-1.32.1
github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt
nvd.nist.gov/vuln/detail/CVE-2025-63828

Code Behaviors & Features

Detect and mitigate CVE-2025-63828 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →