Mailcow; one of the most popular self-hosted, Docker-based mail server suites, patched a nasty vulnerability earlier this year that could let attackers hijack password reset flows through a classic host header poisoning technique.
Tracked as CVE-2025-25198 (and also referenced in GitHub advisory GHSA-3mvx-qw4r-fcqf), the flaw existed in all mailcow:dockerized releases prior to 2025-01aA vulnerability allowed an unauthenticationed attacker to cause the password reset function's reset link to point to a different domain under their control rather than the correct mailcow instance.
Most commonly, the following steps were taken:
1. An attacker submitted a password reset request for an account they wanted to gain access to ([email protected]) while manipulating the Host header with their own domain (attacker-controlled.server)
2. mailcow generates the reset token and creates the reset url using the poisoned Host value
3. A reset email is sent to the victim with a link like: https://attacker-controlled.server/reset-password?token=long-random-token
4. When the victim clicks on the link believing it is legitimate, they are sent to the attacker's server where they enter a new password and give full access to the attacker's server for this account.
Because mailcow uses the Host header to construct absolute URLs in emails, and didn't sufficiently validate or override it with a trusted base URL, the reset link could be fully controlled by the attacker.
A proof-of-concept (PoC) script for this issue was released publicly by the original discoverer in October 2025 and posted to GitHub. This script installs an HTTPS listener on TCP port 443 and sends poisoned password reset requests, as well as having optional HTTP/2 support through the use of the httpx command-line utility. When a victim interacts with the script, it will automatically extract any CSRF tokens (if applicable) from the password reset request and will retry until the victim clicks on the poisoned link (either from a redirect/response or directly from the fake domain in the email).
The PoC script requires you to run it in root or administrator mode (i.e., with superuser privileges) as it binds to port 443 of your computer and dynamically generates a self-signed SSL certificate so that it can communicate with the victim using HTTPS. In addition, Mailcow has addressed and fixed the vulnerability by releasing PoC v2025-01a, which uses a trusted base URL for password reset links and does not include an unverified "Host" header in email generation processes. The patch was announced via their security advisory on GitHub.
Who should care right now?
1. Anyone running mailcow:dockerized in production who hasn't updated since early 2025.
2. Self-hosted email admins who expose the web UI to the internet (even behind basic auth, the reset flow was reachable unauthenticated).
3. Companies that rely on mailcow for email, using either internal email or customer email, that become compromised will be completely vulnerable to having their entire mailbox accessed, their login credentials stolen, or their emails used to commit other cybercrimes classified as business email compromise.
Recommended actions:
1. Download the latest mailcow image and run ./update.sh (or similar) so that you’ll be running at least release 2025-01a.
2. Verify you have installed a patched version; check your mailcow.conf file or check mailcow’s versioning screen.
3. If you cannot immediately upgrade your version: limit access to the mailcow interface to IP addresses that you know or through a VPN, watch for strange emails being sent about password reset requests and looking at any traffic that has an unexpected Host header.
4. Educate your users; tell them not to click on reset links if the domain appears suspicious (but ideally, they would just not need to use the reset link).
This one's a good reminder that even mature open-source projects can have subtle trust issues around HTTP headers, especially when generating emails. Host header attacks aren't new, but when they land in password reset flows on email servers, the impact jumps significantly.
If you're running mailcow, take five minutes to check your version today. One quick update beats explaining a compromised admin mailbox later.
Source: Exploit DB