CVE-2025-50578
Published: 30 July 2025
Summary
CVE-2025-50578 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Linuxserver Docker-Heimdall. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
LinuxServer.io Heimdall version 2.6.3-ls307 is affected by insufficient validation of user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. The flaw permits Host Header Injection and Open Redirect attacks because the application trusts untrusted input without proper sanitization, as indicated by the associated CWEs for improper input validation, injection, and open redirect.
An unauthenticated remote attacker can supply crafted headers to force the application to load resources from attacker-controlled domains or redirect users to arbitrary locations. This can result in phishing campaigns, UI redress attacks, and potential session theft, consistent with the CVSS 9.8 rating reflecting network-exploitable integrity and confidentiality impacts without authentication or user interaction.
The EPSS score rose from a low baseline to a peak of 0.0575 on 2026-04-02 before receding to the current value of 0.0318, indicating measurable post-disclosure exploitation interest that warrants renewed attention. References point to the upstream GitHub repository and a detailed issue discussion but provide no explicit patch or mitigation guidance in the available details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23174
Vulnerability details
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external…
more
resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via header manipulation for open redirect and resource loading.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of untrusted user-supplied HTTP headers like X-Forwarded-Host and Referer to prevent host header injection and open redirect attacks.
Filters application outputs to block the loading of external attacker-controlled resources and unintended redirects resulting from injected headers.
Enforces restrictions on HTTP header inputs, such as size and format limits, to mitigate manipulation attempts in host header injection.