CRITICAL🇵🇱 Wersja polska

CVE-2025-50578

CVSS 9.8v3.1pub. 2025-07-30upd. 2025-08-25

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

🤖 AI Analysis
How it works

An attacker remotely and without authentication manipulates HTTP headers `X-Forwarded-Host` or `Referer`, which the application accepts without proper verification as a trusted source. Injecting attacker-controlled header values allows the application to load external resources from attacker domains (Host Header Injection) or redirect the user to any URL (Open Redirect). This results from insufficient validation of untrusted input data, classifying the vulnerability as CWE-20 (improper input validation) and CWE-74/CWE-601 (injection and open redirect).

Impact

Attackers can conduct phishing attacks by redirecting users to malicious sites, perform session hijacking, manipulate the user interface (UI redress), and force loading of external resources from attacker-controlled domains, compromising application integrity and trustworthiness.

Mitigation & patch

Apply patches available from the vendor according to the references. As a remedial measure, consider implementing rules at the reverse proxy or firewall level to reject unexpected values in `X-Forwarded-Host` and `Referer` headers, and restrict access to Heimdall instances exclusively to trusted networks.

Who is affected

LinuxServer.io Heimdall version 2.6.3-ls307

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linuxserver Docker Heimdall

    APP
    Linuxserver
    2.6.3-ls307
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-54597HIGH7.2ten sam vendor

LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter.

CVE-2022-47968MEDIUM5.4ten sam vendor

Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Ad...