PKP-WAL 3.5.0-3 X-Forwarded-Host LESS Code Injection

PKP-WAL 3.5.0-3 suffers from a critical LESS Code Injection vulnerability.
The PKP-WAL 3.5.0-3 suffers from a critical LESS Code Injection vulnerability.
The application insecurely incorporates the value of the `X-Forwarded-Host` HTTP header directly into dynamically generated LESS stylesheets.
An attacker can craft a malicious `X-Forwarded-Host` header containing arbitrary LESS code.
When the server processes and compiles these stylesheets, the injected LESS code is executed.
This allows the attacker to control aspects of the server-side LESS compilation process.
Potential impacts include Remote Code Execution (RCE), Server-Side Request Forgery (SSRF) by forcing the server to fetch internal resources, or sensitive file disclosure.
The vulnerability stems from a lack of proper input validation and sanitization of the `X-Forwarded-Host` header before its use in stylesheet generation.
Mitigation involves strict validation of this header to prevent arbitrary code injection.

-----------------------------------------------------------------------
PKP-WAL <= 3.5.0-3 (X-Forwarded-Host) LESS Code Injection Vulnerability
-----------------------------------------------------------------------


[-] Software Links:

https://pkp.sfu.ca
https://github.com/pkp/pkp-lib


[-] Affected Versions:

PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-10
and prior versions, and version 3.5.0-3 and prior versions, as used in
Open Journal Systems (OJS), Open Monograph Press (OMP), and Open
Preprint Systems (OPS).


[-] Vulnerability Description:

The vulnerability exists within the PKPTemplateManager::compileLess()
method, which will call the Less_Parser::parse() method passing to it
the "baseUrl" variable. Such a variable, which is constructed from a
call to the $request->getBaseUrl() method, can be manipulated by
unauthenticated attackers through the X-Forwarded-Host HTTP header,
and this can be exploited to perform LESS Code Injection attacks,
subsequently leading to SSRF or Local File Read attacks.

Successful exploitation of this vulnerability requires the
allowed_hosts setting to be set to an empty string within the
config.inc.php script.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[21/10/2025] - Vendor notified

[24/10/2025] - Vendor replied the following GitHub issue already
solves the issue: https://github.com/pkp/pkp-lib/issues/7649

[25/10/2025] - Response sent to the vendor, stating this should be
treated as a new, different issue

[12/11/2025] - CVE identifier requested

[12/12/2025] - CVE identifier assigned

[23/12/2025] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67891 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-13