Affected Version
-
Docker Image: linuxserver/heimdall:latest
-
Discovered By: Juan Felipe Osorio Zapata
-
Link to the Full technical Detailed Report with PoC: CVE-2025-50578 - Medium
Summary
While analyzing the latest Docker image of Heimdall, I identified two security vulnerabilities related to improper trust of user-controlled HTTP headers:
- Host Header Injection → leads to Open Redirect and unsafe external resource loading.
- Open Redirect via Referer → allows redirection to attacker-controlled domains.
Technical Impact
- The application loads JS, CSS, and images from attacker-controlled domains when X-Forwarded-Host is manipulated.
- Unsafe use of the Referer header results in 302 redirects to external domains.
- These vectors could be used for:
- Phishing or UI redress attacks
- Cookie/session theft
- Internal CSRF chaining
- Trust erosion in the application
#### Minimal PoCs
GET / HTTP/1.1
Host: localhost:8084
X-Forwarded-Host: evil.com
➡️ App responds with 200 OK and loads assets from http://evil.com/
POST /users/2 HTTP/1.1
Host: localhost:8084
Referer: https://evil.com/index.html
➡️ Results in a redirect: Location: https://attacker.com/index.html
Recommendations
- Avoid using X-Forwarded-Host, Referer, or Origin for redirect logic or dynamic resource inclusion.
- Enforce internal-only redirects (same-origin) via a whitelist.
- Prefer relative paths for navigation (e.g., /dashboard, /home).
- Sanitize or drop untrusted headers unless explicitly set by a known reverse proxy.
📄 Full Report Available
I have a fully documented PDF report with in-depth technical analysis and working Proofs of Concept (PoCs), including:
- Exploitation via injection of malicious CSS and JavaScript
- Screenshots and testing scenarios with custom HTTP servers
- Impact analysis with potential attack chains
I initially submitted the report to [email protected] on April 12, 2025, but I haven’t received a reply. For transparency and security awareness, I’m now sharing the issue here.
🔐 If you're interested in reviewing the full report, I’ll gladly send it privately via email or any channel you prefer — just let me know how you’d like to receive it.
Juan Felipe Osorio Z
Penetration Tester & OSS Security Researcher
LinkedIn • X (Twitter) • Website
Affected Version
Docker Image:
linuxserver/heimdall:latestDiscovered By: Juan Felipe Osorio Zapata
Link to the Full technical Detailed Report with PoC: CVE-2025-50578 - Medium
Summary
While analyzing the latest Docker image of Heimdall, I identified two security vulnerabilities related to improper trust of user-controlled HTTP headers:
Technical Impact
#### Minimal PoCs
➡️ App responds with 200 OK and loads assets from http://evil.com/
➡️ Results in a redirect: Location: https://attacker.com/index.html
Recommendations
📄 Full Report Available
I have a fully documented PDF report with in-depth technical analysis and working Proofs of Concept (PoCs), including:
I initially submitted the report to [email protected] on April 12, 2025, but I haven’t received a reply. For transparency and security awareness, I’m now sharing the issue here.
🔐 If you're interested in reviewing the full report, I’ll gladly send it privately via email or any channel you prefer — just let me know how you’d like to receive it.
Juan Felipe Osorio Z
Penetration Tester & OSS Security Researcher
LinkedIn • X (Twitter) • Website