The application uses user-controllable input (such as the Host header) to generate password reset links, allowing an attacker to redirect reset tokens to a malicious domain.
An attacker could intercept password reset tokens and use them to take over victim accounts, gaining full access to the user's data and privileges.
Use a server-side configured base URL for password reset links instead of the Host header. Validate the Host header against a whitelist. Implement short-lived, single-use reset tokens. Notify users of password reset requests.