@perfood/couch-auth

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @perfood/couch-authpage 1 of 1

CVE-2023-39655CRITICALCVSS 9.6EG 8.1
2024-01-03
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, …
CVE-2024-57177HIGHCVSS 7.3EG 4.3
2025-02-10
A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged t…
CVE-2025-70948CRITICALCVSS 9.3EG 9.3
2026-03-05
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
CVE-2025-70949HIGHCVSS 7.5EG 7.5
2026-03-05
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.

Check whether @perfood/couch-auth is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @perfood/couch-auth CVEs against the assets you own.

Start Free Scan →