CVE-2025-50578CRITICAL 9.8EPSS p83.3%

CVE-2025-50578CVE-2025-50578

Description

LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.59% probability of exploitation · percentile 83.3% · 2026-06-18T12:00:27Z
Published2025-07-30
Last modified2025-08-25

Underlying weaknesses· 3

CWE-20CWE-74CWE-601

References

  1. https://github.com/linuxserver/Heimdall
  2. https://github.com/linuxserver/Heimdall/issues/1451
  3. https://medium.com/@juanfelipeoz.rar/cve-2025-50578-exploiting-host-header-injection-open-redirect-in-heimdall-application-733afceff2ea

3

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessURL Redirection to Untrusted Site ('Open Redirect')cwe-6010%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-6504
CVE
CVE-2025-67494
CVE
CVE-2025-25477
CVE
CVE-2025-66570
CVE
CVE-2025-48936
CVE
CVE-2025-12486
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.