CVE-2025-50578
published 2025-07-30CVE-2025-50578: LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.78%
84.6th percentile
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linuxserver | docker-heimdall | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherX-Forwarded-Host: interact.sh
otherGET / HTTP/1.1
Host: {{Hostname}}
X-Forwarded-Host: interact.sh
other<script src="http://interact.sh/
- →Detect exploitation attempts by monitoring HTTP requests containing the `X-Forwarded-Host` header with an external/unexpected domain value directed at Heimdall instances. ↗
- →Use Shodan query `html:"Heimdall"` to identify exposed Heimdall instances potentially vulnerable to CVE-2025-50578.
- →Monitor for abuse of both `X-Forwarded-Host` and `Referer` HTTP headers with external/attacker-controlled domain values on Heimdall endpoints. ↗
- ·The vulnerability requires no authentication and no special privileges, meaning any unauthenticated remote attacker can exploit it with a single crafted HTTP request.
- ·The Nuclei template confirms exploitation with a single HTTP request (max-request: 1), so detection rules should be tuned to flag even single occurrences of the injected header pattern.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Heimdall - Host Header Injection & Open Redirect
nuclei·CVSS 9.8
CVE-2025-50578 [CRITICAL] Heimdall - Host Header Injection & Open Redirect
Heimdall - Host Header Injection & Open Redirect
LinuxServer.io Heimdall 2.6.3-ls307 contains a host header injection caused by improper validation of user-supplied HTTP headers `X-Forwarded-Host` and `Referer`, letting unauthenticated remote attackers perform host header injection and open redirect attacks, exploit requires no special privileges.
Template:
id: CVE-2025-50578
info:
name: Heimdall - Host Header Injection & Open Redirect
author: DhiyaneshDk
severity: medium
description: |
LinuxServer.io Heimdall 2.6.3-ls307 contains a host header injection caused by improper validation of user-supplied HTTP headers `X-Forwarded-Host` and `Referer`, letting unauthenticated remote attackers perform host header injection and open redirect attacks, exploit requires no special privileges.
imp
No writeups or analysis indexed.
2025-07-30
Published