Host Header Injection Affecting croogo/croogo package, versions >=0.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CROOGOCROOGO-9804448
  • published25 Apr 2025
  • disclosed21 Apr 2025
  • creditChrist Bowel Bouchuen

Introduced: 21 Apr 2025

NewCVE-2024-29643  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

There is no fixed version for croogo/croogo.

Overview

croogo/croogo is an Open Source CMS built for everyone.

Affected versions of this package are vulnerable to Host Header Injection in the feed.rss component, which takes the content of the -H argument in a request and passes it through to the <link> element in a response without filtering. An attacker can redirect users by sending a malicious Host header.

PoC

curl http://localhost:7080/feed.rss -H 'Host: evil.com'

CVSS Base Scores

version 4.0
version 3.1