CVE-2025-50578

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-50578
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50578.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-50578
Published
2025-07-30T16:15:28.177Z
Modified
2026-04-10T05:30:04.143267Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

References

Affected packages

Git / github.com/linuxserver/docker-heimdall

Affected ranges

Type
GIT
Repo
https://github.com/linuxserver/docker-heimdall
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
35f6b1f6d8d59f10acd52c83d5f9d9fef65c0445
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.6.3-ls307"
        }
    ]
}

Affected versions

Other
1
10
11
12
13
14
15
16
17
18
19
2
20
21
22
23
24
25
26
27
28
29
3
30
31
32
33
34
35
36
37
38
39
4
40
41
42
43
44
45
46
47
48
49
5
50
51
52
53
54
55
56
57
58
59
6
60
61
62
63
64
65
66
67
68
69
7
70
71
72
73
74
75
76
77
8
9
1.*
1.4.17-pkg-08cae2ca-ls1
1.4.17-pkg-08cae2ca-ls2
1.4.17-pkg-08cae2ca-ls3
1.4.17-pkg-08cae2ca-ls4
1.4.17-pkg-08cae2ca-ls5
2.*
2.0.0-pkg-08cae2ca-ls5
2.0.1-pkg-08cae2ca-ls5
2.0.1-pkg-08cae2ca-ls6
2.0.2-pkg-08cae2ca-ls6
2.0.3-pkg-08cae2ca-ls6
2.0.3-pkg-08cae2ca-ls7
2.0.3-pkg-852a93c4-ls8
2.0.3-pkg-b25d9331-ls9
2.1.1-pkg-b25d9331-ls9
2.1.10-pkg-a3f4a643-ls14
2.1.11-pkg-1ae4109c-ls15
2.1.12-pkg-1ae4109c-ls15
2.1.12-pkg-1ae4109c-ls16
2.1.12-pkg-1ae4109c-ls17
2.1.12-pkg-36522071-ls18
2.1.12-pkg-36522071-ls19
2.1.12-pkg-7064d85d-ls23
2.1.12-pkg-905c8c63-ls21
2.1.12-pkg-af44ce28-ls20
2.1.12-pkg-c11a3ec1-ls22
2.1.13-ls41
2.1.13-ls42
2.1.13-ls43
2.1.13-ls44
2.1.13-ls45
2.1.13-pkg-0bfb028c-ls30
2.1.13-pkg-22b14c33-ls28
2.1.13-pkg-2d9b1002-ls34
2.1.13-pkg-327c9608-ls29
2.1.13-pkg-33e2ab22-ls35
2.1.13-pkg-3f3f92cf-ls33
2.1.13-pkg-60abd87f-ls26
2.1.13-pkg-60abd87f-ls27
2.1.13-pkg-6afe4b06-ls25
2.1.13-pkg-7064d85d-ls24
2.1.13-pkg-b5d1419d-ls39
2.1.13-pkg-d05c401f-ls36
2.1.13-pkg-d05c401f-ls37
2.1.13-pkg-d05c401f-ls38
2.1.13-pkg-d5c6327c-ls31
2.1.13-pkg-d5c6327c-ls32
2.1.13-pkg-f1f127e3-ls40
2.1.2-pkg-b25d9331-ls9
2.1.3-pkg-91878415-ls10
2.1.3-pkg-91878415-ls11
2.1.4-pkg-91878415-ls11
2.1.4-pkg-91878415-ls12
2.1.4-pkg-91878415-ls13
2.1.4-pkg-91878415-ls14
2.1.5-pkg-91878415-ls14
2.1.6-pkg-91878415-ls14
2.1.7-pkg-91878415-ls14
2.1.8-pkg-91878415-ls14
2.1.9-pkg-a3f4a643-ls14
2.2.0-ls45
2.2.0-ls46
2.2.1-ls47
2.2.2-ls100
2.2.2-ls101
2.2.2-ls102
2.2.2-ls103
2.2.2-ls104
2.2.2-ls105
2.2.2-ls106
2.2.2-ls107
2.2.2-ls108
2.2.2-ls109
2.2.2-ls110
2.2.2-ls111
2.2.2-ls112
2.2.2-ls113
2.2.2-ls114
2.2.2-ls115
2.2.2-ls116
2.2.2-ls117
2.2.2-ls118
2.2.2-ls119
2.2.2-ls120
2.2.2-ls121
2.2.2-ls122
2.2.2-ls123
2.2.2-ls124
2.2.2-ls125
2.2.2-ls126
2.2.2-ls127
2.2.2-ls128
2.2.2-ls129
2.2.2-ls130
2.2.2-ls131
2.2.2-ls132
2.2.2-ls133
2.2.2-ls134
2.2.2-ls135
2.2.2-ls136
2.2.2-ls137
2.2.2-ls138
2.2.2-ls139
2.2.2-ls140
2.2.2-ls141
2.2.2-ls142
2.2.2-ls143
2.2.2-ls144
2.2.2-ls145
2.2.2-ls146
2.2.2-ls148
2.2.2-ls149
2.2.2-ls150
2.2.2-ls151
2.2.2-ls152
2.2.2-ls153
2.2.2-ls154
2.2.2-ls155
2.2.2-ls156
2.2.2-ls157
2.2.2-ls158
2.2.2-ls159
2.2.2-ls160
2.2.2-ls47
2.2.2-ls48
2.2.2-ls49
2.2.2-ls50
2.2.2-ls51
2.2.2-ls52
2.2.2-ls53
2.2.2-ls54
2.2.2-ls55
2.2.2-ls56
2.2.2-ls57
2.2.2-ls58
2.2.2-ls59
2.2.2-ls60
2.2.2-ls61
2.2.2-ls62
2.2.2-ls63
2.2.2-ls64
2.2.2-ls65
2.2.2-ls66
2.2.2-ls67
2.2.2-ls68
2.2.2-ls69
2.2.2-ls70
2.2.2-ls71
2.2.2-ls72
2.2.2-ls73
2.2.2-ls74
2.2.2-ls75
2.2.2-ls76
2.2.2-ls77
2.2.2-ls78
2.2.2-ls79
2.2.2-ls80
2.2.2-ls81
2.2.2-ls82
2.2.2-ls83
2.2.2-ls84
2.2.2-ls85
2.2.2-ls86
2.2.2-ls87
2.2.2-ls88
2.2.2-ls89
2.2.2-ls90
2.2.2-ls91
2.2.2-ls92
2.2.2-ls93
2.2.2-ls94
2.2.2-ls95
2.2.2-ls96
2.2.2-ls97
2.2.2-ls98
2.2.2-ls99
V2.*
V2.4.5-ls164
V2.5.8-ls238
V2.5.8-ls239
V2.5.8-ls240
V2.5.8-ls241
V2.5.8-ls242
V2.5.8-ls243
V2.5.8-ls244
V2.5.8-ls245
V2.5.8-ls246
V2.5.8-ls247
V2.5.8-ls248
V2.5.8-ls249
V2.5.8-ls250
V2.5.8-ls251
V2.5.8-ls252
v2.*
v2.3.0-ls161
v2.3.1-ls161
v2.3.1-ls162
v2.3.1-ls163
v2.3.2-ls163
v2.4.0-ls164
v2.4.1-ls164
v2.4.10-ls166
v2.4.10-ls167
v2.4.11-ls167
v2.4.12-ls167
v2.4.12-ls168
v2.4.12-ls169
v2.4.12-ls170
v2.4.12-ls171
v2.4.12-ls172
v2.4.12-ls173
v2.4.12-ls174
v2.4.12-ls175
v2.4.12-ls176
v2.4.13-ls176
v2.4.13-ls177
v2.4.13-ls178
v2.4.13-ls179
v2.4.13-ls180
v2.4.13-ls181
v2.4.13-ls182
v2.4.13-ls183
v2.4.13-ls184
v2.4.13-ls185
v2.4.13-ls186
v2.4.13-ls187
v2.4.13-ls188
v2.4.13-ls189
v2.4.13-ls190
v2.4.14-ls191
v2.4.15-ls191
v2.4.15-ls192
v2.4.15-ls193
v2.4.15-ls194
v2.4.2-ls164
v2.4.3-ls164
v2.4.4-ls164
v2.4.6-ls164
v2.4.7b-ls165
v2.4.8-ls165
v2.4.9-ls166
v2.5.0-ls194
v2.5.1-ls194
v2.5.1-ls195
v2.5.2-ls195
v2.5.2-ls196
v2.5.3-ls196
v2.5.3-ls197
v2.5.4-ls197
v2.5.4-ls198
v2.5.5-ls198
v2.5.5-ls199
v2.5.5-ls200
v2.5.5-ls201
v2.5.5-ls202
v2.5.5-ls203
v2.5.5-ls204
v2.5.5-ls205
v2.5.5-ls206
v2.5.6-ls207
v2.5.6-ls208
v2.5.6-ls209
v2.5.6-ls210
v2.5.6-ls211
v2.5.6-ls212
v2.5.6-ls213
v2.5.6-ls214
v2.5.6-ls215
v2.5.6-ls216
v2.5.6-ls217
v2.5.6-ls218
v2.5.6-ls219
v2.5.6-ls220
v2.5.6-ls221
v2.5.6-ls222
v2.5.6-ls223
v2.5.6-ls224
v2.5.6-ls225
v2.5.6-ls226
v2.5.6-ls227
v2.5.6-ls228
v2.5.6-ls229
v2.5.6-ls230
v2.5.6-ls231
v2.5.6-ls232
v2.5.6-ls233
v2.5.6-ls234
v2.5.6-ls235
v2.5.6-ls236
v2.5.7-ls236
v2.5.7-ls237
v2.5.7-ls238
v2.6.0-ls253
v2.6.1-ls253
v2.6.1-ls254
v2.6.1-ls255
v2.6.1-ls256
v2.6.1-ls257
v2.6.1-ls258
v2.6.1-ls259
v2.6.1-ls260
v2.6.1-ls261
v2.6.1-ls262
v2.6.1-ls263
v2.6.1-ls264
v2.6.1-ls265
v2.6.1-ls266
v2.6.1-ls267
v2.6.1-ls268
v2.6.1-ls269
v2.6.1-ls270
v2.6.1-ls271
v2.6.1-ls272
v2.6.1-ls273
v2.6.1-ls274
v2.6.1-ls275
v2.6.1-ls276
v2.6.1-ls277
v2.6.1-ls278
v2.6.1-ls279
v2.6.1-ls280
v2.6.1-ls281
v2.6.1-ls282
v2.6.1-ls283
v2.6.1-ls284
v2.6.1-ls285
v2.6.1-ls286
v2.6.1-ls287
v2.6.2-ls287
v2.6.3-ls287
v2.6.3-ls288
v2.6.3-ls289
v2.6.3-ls290
v2.6.3-ls291
v2.6.3-ls292
v2.6.3-ls293
v2.6.3-ls294
v2.6.3-ls295
v2.6.3-ls296
v2.6.3-ls297
v2.6.3-ls298
v2.6.3-ls299
v2.6.3-ls300
v2.6.3-ls301
v2.6.3-ls302
v2.6.3-ls303
v2.6.3-ls304
v2.6.3-ls305
v2.6.3-ls306
v2.6.3-ls307

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50578.json"