Snipe-IT is a free, open-source IT asset/license management systemIn Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This can lead to account take over.

Affected Packages

Packagist snipe/snipe-it

Affected versions: 3.0-alpha (fixed in 5.4.0)

Related CVEs

CVE-2022-23064

Key Information

GHSA ID

GHSA-9vh6-qfv6-vcqp

Published

May 3, 2022 12:00 AM

Last Modified

May 3, 2022 6:29 AM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

snipe/snipe-it

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.