4 matches found
HTTP Header Injection
Overview @perfood/couch-auth is an Easy and secure authentication for CouchDB/Cloudant. Based on SuperLogin, updated and rewritten in Typescript. Affected versions of this package are vulnerable to HTTP Header Injection via the mailer component. An attacker can gain unauthorized access to reset...
CVE-2025-70949
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel...
CVE-2025-70949
Summary: CVE-2025-70949 affects @perfood/couch-auth v0.26.0. The vulnerability is an observable timing discrepancy that creates a timing side-channel, potentially allowing an attacker to access sensitive information during authentication. The available documents do not disclose a fixed version; r...
CVE-2024-57177
A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...