CVE-2025-54597
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts via the 'q' parameter in LinuxServer.io Heimdall, potentially compromising user sessions. It affects all Heimdall instances running versions before 2.7.3. Users who access a maliciously crafted URL could have their browser execute arbitrary JavaScript in the context of the Heimdall application.
💻 Affected Systems
- LinuxServer.io Heimdall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking leading to unauthorized access to the Heimdall dashboard and potentially other integrated services.
If Mitigated
Limited impact with proper Content Security Policy headers and input validation, though basic XSS protection would still be bypassed.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The 'q' parameter appears to be a search parameter that accepts user input without proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.3
Vendor Advisory: https://github.com/linuxserver/Heimdall/commit/d1a96dd752ba30dc56380400dd2587d8abb8e9d1
Restart Required: Yes
Instructions:
1. Update Heimdall to version 2.7.3 or later. 2. For Docker deployments: pull the latest image and restart container. 3. For manual installations: replace files with patched version from GitHub.
🔧 Temporary Workarounds
Input Validation via WAF
allImplement web application firewall rules to sanitize or block malicious 'q' parameter values.
# Example nginx rule to block script tags in q parameter
location / {
if ($arg_q ~* "<script") {
return 403;
}
}
Content Security Policy
allImplement strict CSP headers to mitigate impact of successful XSS exploitation.
# Add to web server config
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';" always;
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to limit script execution
- Deploy a web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check Heimdall version in web interface or via Docker inspect. Test by attempting XSS payload in 'q' parameter.Check Version:
docker inspect heimdall | grep -i version || grep version /path/to/heimdall/configVerify Fix Applied:
Confirm version is 2.7.3 or later. Test that script tags in 'q' parameter are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual 'q' parameter values containing script tags or JavaScript code
- Multiple failed login attempts from new user agents
Network Indicators:
- HTTP requests with 'q' parameter containing suspicious patterns like <script>, javascript:, or encoded payloads
SIEM Query:
web.url:*q=*<script* OR web.url:*q=*javascript:*