The application trusts the Host header for generating URLs, redirects, or password reset links without proper validation, allowing attackers to inject a malicious host value.
An attacker could poison password reset links to steal tokens, bypass virtual host-based access controls, perform web cache poisoning, or redirect users to malicious sites.
Configure the web server to only accept requests with expected Host header values. Do not use the Host header for generating URLs in sensitive operations. Use a server-side configured base URL instead.