Weak Password Recovery Mechanism for Forgotten Password Affecting apostrophe package, versions <4.30.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Weak Password Recovery Mechanism for Forgotten Password vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-APOSTROPHE-16760041
  • published19 May 2026
  • disclosed14 May 2026
  • creditMujahidkhan525, VadlaReddySai

Introduced: 14 May 2026

CVE-2026-45013  (opens in a new tab)
CWE-640  (opens in a new tab)

How to fix?

Upgrade apostrophe to version 4.30.0 or higher.

Overview

apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.

Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the resetRequest flow in the login module. An attacker can cause password reset emails to contain links to an attacker-controlled domain by sending a crafted Host header in a POST /api/v1/@apostrophecms/login/reset-request request, which can leak the reset token and allow the attacker to take over the victim’s account.

Notes

  • The vulnerable path is gated by passwordReset: true in the login module and only affects deployments that leave apos.baseUrl unset.

Workarounds

  • Set baseUrl for the ApostropheCMS Express configuration, or set the APOS_BASE_URL environment variable, before enabling passwordReset: true; this prevents password reset emails from being built from the attacker-controlled Host header and stops reset links from pointing to an attacker-controlled domain.

CVSS Base Scores

version 4.0
version 3.1