CRITICAL🇵🇱 Wersja polska

CVE-2023-51803

CVSS 9.8v3.1pub. 2024-04-01upd. 2026-04-15

LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring.

🤖 AI Analysis
How it works

The Heimdall application does not check whether the uploaded icon file contains only image data. An attacker can upload a file containing embedded PHP code (e.g. substring '<?php ?>') as an application icon. The server, interpreting such a file as a PHP script, may execute the malicious code contained within it. The vulnerability results from the lack of filtering of prohibited content in uploaded files (CWE-674 — improper recursion or improper input data processing).

Impact

An attacker can obtain remote code execution (RCE) on the server hosting the Heimdall application, which in practice means complete takeover of the server environment — violating confidentiality, integrity, and availability of the system.

Mitigation & patch

Update the Heimdall application to version 2.5.7 or newer, which introduces validation of uploaded icon files. Details available in the official release: https://github.com/linuxserver/Heimdall/releases/tag/v2.5.7

Who is affected

LinuxServer.io Heimdall in versions earlier than 2.5.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References