CVE-2025-50578
Published: 30 July 2025
Summary
CVE-2025-50578 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Linuxserver Docker-Heimdall. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of untrusted user-supplied HTTP headers like X-Forwarded-Host and Referer to prevent host header injection and open redirect attacks.
Filters application outputs to block the loading of external attacker-controlled resources and unintended redirects resulting from injected headers.
Enforces restrictions on HTTP header inputs, such as size and format limits, to mitigate manipulation attempts in host header injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via header manipulation for open redirect and resource loading.
NVD Description
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external…
more
resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
Deeper analysisAI
CVE-2025-50578 is a vulnerability in LinuxServer.io Heimdall version 2.6.3-ls307, stemming from improper handling of user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. This flaw enables Host Header Injection and Open Redirect attacks due to insufficient validation and trust of untrusted input, compromising the application's integrity and trustworthiness. It is associated with CWE-20 (Improper Input Validation), CWE-74 (Incorrect Web Statement), and CWE-601 (URL Redirection to Untrusted Site), earning a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability by manipulating the specified headers in HTTP requests. Successful exploitation allows loading external resources from attacker-controlled domains and redirecting users to unintended destinations, facilitating phishing attacks, UI redress (clickjacking), and session theft.
Mitigation details are available in related advisories and resources, including the Heimdall GitHub repository at https://github.com/linuxserver/Heimdall, issue tracker entry #1451 at https://github.com/linuxserver/Heimdall/issues/1451, and a Medium article detailing exploitation at https://medium.com/@juanfelipeoz.rar/cve-2025-50578-exploiting-host-header-injection-open-redirect-in-heimdall-application-733afceff2ea. Security practitioners should consult these for patch information and remediation steps.
Details
- CWE(s)