Skip to main content

Lack of data validation - Host Header Injection


The application allows to manipulate the host header which may lead to unintended redirects to malicious websites.


Redirect the user to harfmful websites.


Validate the host header against a whitelist of trusty domains.


Anonymous attacker from adjacent network.

Expected Remediation Time

⌚ 30 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N


  • Exploit code madurity: H
  • Remediation level: U
  • Report confidence: C


  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:H/RL:U/RC:C
  • Score:
    • Base: 3.7
    • Temporal: 3.7
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application uses user input after validating it on the server side

var http = require('http');
const { validateHeaderName } = require('http');

const signinHandler = (req, res) => {
try {
validateHeaderName(, whitelist);
// Do data manipulation
} catch (err) {
err instanceof TypeError; // true
return err.message;

Non compliant code

The application uses user input without server side validation

const signinHandler = (req, res) => {
//Do data manipulation without validating the header request against a whitelist