CVE-2025-50578

Name of the Vulnerable Software and Affected Versions heimdall version 2.6.3-ls307

Description The application does not properly validate user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. This allows for Host Header Injection and Open Redirect attacks. An unauthenticated remote attacker can manipulate these headers to load external resources from attacker-controlled domains and redirect users, potentially enabling phishing, UI redress, and session theft. The issue is due to insufficient validation of untrusted input, impacting the application’s integrity and trustworthiness.

Recommendations Apply input validation and sanitization to the X-Forwarded-Host and Referer HTTP headers to prevent manipulation.