Cyber Resilience

CVE-2025-50578

CriticalPublic PoC

Published: 30 July 2025

Published
30 July 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0318 87.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50578 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Linuxserver Docker-Heimdall. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

LinuxServer.io Heimdall version 2.6.3-ls307 is affected by insufficient validation of user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. The flaw permits Host Header Injection and Open Redirect attacks because the application trusts untrusted input without proper sanitization, as indicated by the associated CWEs for improper input validation, injection, and open redirect.

An unauthenticated remote attacker can supply crafted headers to force the application to load resources from attacker-controlled domains or redirect users to arbitrary locations. This can result in phishing campaigns, UI redress attacks, and potential session theft, consistent with the CVSS 9.8 rating reflecting network-exploitable integrity and confidentiality impacts without authentication or user interaction.

The EPSS score rose from a low baseline to a peak of 0.0575 on 2026-04-02 before receding to the current value of 0.0318, indicating measurable post-disclosure exploitation interest that warrants renewed attention. References point to the upstream GitHub repository and a detailed issue discussion but provide no explicit patch or mitigation guidance in the available details.

EU & UK References

Vulnerability details

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external…

more

resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing web application via header manipulation for open redirect and resource loading.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45055Shared CWE-20, CWE-601
CVE-2026-29046Shared CWE-20, CWE-74
CVE-2026-4755Shared CWE-20
CVE-2025-64428Shared CWE-74
CVE-2026-0573Shared CWE-601
CVE-2026-25814Shared CWE-74
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20
CVE-2026-2880Shared CWE-20
CVE-2025-1514Shared CWE-20

Affected Assets

linuxserver
docker-heimdall
2.6.3-ls307

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of untrusted user-supplied HTTP headers like X-Forwarded-Host and Referer to prevent host header injection and open redirect attacks.

prevent

Filters application outputs to block the loading of external attacker-controlled resources and unintended redirects resulting from injected headers.

prevent

Enforces restrictions on HTTP header inputs, such as size and format limits, to mitigate manipulation attempts in host header injection.

References