CVE-2025-50578

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions heimdall version 2.6.3-ls307

Description The application does not properly validate user-supplied HTTP headers, specifically X-Forwarded-Host and Referer. This allows for Host Header Injection and Open Redirect attacks. An unauthenticated remote attacker can manipulate these headers to load external resources from attacker-controlled domains and redirect users, potentially enabling phishing, UI redress, and session theft. The issue is due to insufficient validation of untrusted input, impacting the application’s integrity and trustworthiness.

Recommendations Apply input validation and sanitization to the X-Forwarded-Host and Referer HTTP headers to prevent manipulation.

Exploit

Fix

RCE

Open Redirect

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601CWE-20CWE-74

Related Identifiers

CVE-2025-50578

Affected Products

Heimdal

CVE-2025-50578

Weakness Enumeration

Related Identifiers

Affected Products

References · 10