CVE-2025-50578

Source
https://cve.org/CVERecord?id=CVE-2025-50578
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50578.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-50578
Published
2025-07-30T00:00:00Z
Modified
2026-07-08T08:12:06.320835603Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/50xxx/CVE-2025-50578.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/linuxserver/docker-heimdall

Affected ranges

Type
GIT
Repo
https://github.com/linuxserver/docker-heimdall
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:linuxserver:docker-heimdall:2.6.3-ls307:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.6.3-ls307"
        },
        {
            "last_affected": "2.6.3-ls307"
        }
    ]
}

Affected versions

2.*
2.6.3-ls307
v2.*
v2.6.3-ls307

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50578.json"