cbcvebase.
CVE-2025-50578
published 2025-07-30

CVE-2025-50578: LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.78%
84.6th percentile
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
linuxserverdocker-heimdall

Detection & IOCsextracted from sources · hover to see the quote

otherX-Forwarded-Host: interact.sh
otherGET / HTTP/1.1 Host: {{Hostname}} X-Forwarded-Host: interact.sh
other<script src="http://interact.sh/
versionHeimdall 2.6.3-ls307
  • Detect exploitation attempts by monitoring HTTP requests containing the `X-Forwarded-Host` header with an external/unexpected domain value directed at Heimdall instances.
  • Use Shodan query `html:"Heimdall"` to identify exposed Heimdall instances potentially vulnerable to CVE-2025-50578.
  • Monitor for abuse of both `X-Forwarded-Host` and `Referer` HTTP headers with external/attacker-controlled domain values on Heimdall endpoints.
  • ·The vulnerability requires no authentication and no special privileges, meaning any unauthenticated remote attacker can exploit it with a single crafted HTTP request.
  • ·The Nuclei template confirms exploitation with a single HTTP request (max-request: 1), so detection rules should be tuned to flag even single occurrences of the injected header pattern.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.