CVE-2025-50578: Host Header Injection & Open Redirect in linuxserver/heimdall:latest

[JFOZ1010]

Affected Version

• Docker Image: linuxserver/heimdall:latest

• Discovered By: Juan Felipe Osorio Zapata

• Link to the Full technical Detailed Report with PoC: CVE-2025-50578 - Medium

Summary

While analyzing the latest Docker image of Heimdall, I identified two security vulnerabilities related to improper trust of user-controlled HTTP headers:

• Host Header Injection → leads to Open Redirect and unsafe external resource loading.
• Open Redirect via Referer → allows redirection to attacker-controlled domains.

Technical Impact

• The application loads JS, CSS, and images from attacker-controlled domains when X-Forwarded-Host is manipulated.
• Unsafe use of the Referer header results in 302 redirects to external domains.
• These vectors could be used for:
  • Phishing or UI redress attacks
  • Cookie/session theft
  • Internal CSRF chaining
  • Trust erosion in the application

#### Minimal PoCs

GET / HTTP/1.1
Host: localhost:8084
X-Forwarded-Host: evil.com

➡️ App responds with 200 OK and loads assets from http://evil.com/

POST /users/2 HTTP/1.1
Host: localhost:8084
Referer: https://evil.com/index.html

➡️ Results in a redirect: Location: https://attacker.com/index.html

Recommendations

• Avoid using X-Forwarded-Host, Referer, or Origin for redirect logic or dynamic resource inclusion.
• Enforce internal-only redirects (same-origin) via a whitelist.
• Prefer relative paths for navigation (e.g., /dashboard, /home).
• Sanitize or drop untrusted headers unless explicitly set by a known reverse proxy.

📄 Full Report Available

I have a fully documented PDF report with in-depth technical analysis and working Proofs of Concept (PoCs), including:

• Exploitation via injection of malicious CSS and JavaScript
• Screenshots and testing scenarios with custom HTTP servers
• Impact analysis with potential attack chains

I initially submitted the report to security@linuxserver.io on April 12, 2025, but I haven’t received a reply. For transparency and security awareness, I’m now sharing the issue here.

🔐 If you're interested in reviewing the full report, I’ll gladly send it privately via email or any channel you prefer — just let me know how you’d like to receive it.

Juan Felipe Osorio Z
Penetration Tester & OSS Security Researcher
LinkedIn • X (Twitter) • Website

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[JFOZ1010]

It's not fair, it's a serious issue, it's a vulnerability I'm reporting, why don't they try to sanitize Heimdall's code?

[KodeStar]

Oh dude, I’m so sorry, I completely missed your PR resolving this perceived issue, let me go check it.

edit it doesn’t look like there is a PR, I don’t have a lot of free time at the moment, but I’ll try to dig into it when/if I get a chance. If you are worried about loading assets from evil.com my suggestion until then is don’t access heimdall instances you don’t control yourself or trust the owner of. I don’t personally expose my heimdall instance to the internet, but I know some people do, stay safe out there guys.

[JFOZ1010]

Ok @KodeStar thank you very much for keeping the Issue in mind and thanks for the suggestion, I hope it is a problem that can be solved, of course if there is anything from me that you need do not hesitate to ask me, happy rest of the day mate.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.