CVE-2025-50578 | LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability… | CVSS 9.8 CRITICAL

Description

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

Metadata

CVE ID: CVE-2025-50578
State: PUBLISHED
Assigner: mitre
Reserved: 2025-06-16 00:00 UTC
Published: 2025-07-30 00:00 UTC
Last updated: 2025-07-30 15:43 UTC
Primary CWE: CWE-74
CWE-74 Improper Neutralization of Special Elements in Output…
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a
CWE-20	adp	CWE-20 Improper Input Validation
CWE-601	adp	CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-74	adp	CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)