Skip to content

Fix CVE-2025-50578: Host Header Injection & Open Redirect #1537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jaycollett wants to merge 1 commit into
base: 2.x
Choose a base branch
from
Open

Fix CVE-2025-50578: Host Header Injection & Open Redirect #1537

jaycollett wants to merge 1 commit into from
+46 −9

Conversation

@jaycollett
Copy link

@jaycollett jaycollett commented Jan 29, 2026

Summary

This PR addresses CVE-2025-50578 as reported in #1451, which includes two security vulnerabilities:

  1. Host Header Injection via X-Forwarded-Host header - allows attackers to make the application load assets (JS, CSS, images) from attacker-controlled domains
  2. Open Redirect via Referer header - allows attackers to redirect users to malicious external domains after authentication

Changes

1. Configurable Trusted Proxies (TrustProxies.php)

The trusted proxy configuration is now configurable via the TRUSTED_PROXIES environment variable.

Backwards Compatibility: The default behavior is unchanged - private IP ranges (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 127.0.0.1) are trusted by default, so existing setups behind reverse proxies will continue to work without changes.

New Options:

Value Behavior
Not set Trusts private IP ranges (default, backwards compatible)
Specific IP(s) TRUSTED_PROXIES=192.168.1.10 or TRUSTED_PROXIES=192.168.1.10,192.168.1.11
Empty string TRUSTED_PROXIES= trusts no proxies
Wildcard TRUSTED_PROXIES=* trusts all proxies

2. Open Redirect Fixes (LoginController.php & RedirectIfAuthenticated.php)

These fixes prevent attackers from redirecting users to external malicious domains via the HTTP Referer header:

  • Removed URL::previous() usage which trusted the untrusted Referer header
  • Changed back() redirect after authentication to use the safe dash route
  • Changed redirect()->intended() to use a safe internal path (/)
  • Removed session-based redirect URL that could contain external domains

These changes are applied unconditionally and improve security for all users.

How to Secure Your Instance

For users who want enhanced security:

Add to your .env file:

# Restrict to your specific reverse proxy IP
TRUSTED_PROXIES=192.168.1.10

# Or for multiple proxies
TRUSTED_PROXIES=192.168.1.10,192.168.1.11

# Or to trust no proxies (if not behind a reverse proxy)
TRUSTED_PROXIES=

For users behind dynamic proxies (e.g., Docker networks):

The default behavior (trusting private IPs) or TRUSTED_PROXIES=* should work, but be aware this is less restrictive.

Testing

  • Existing reverse proxy setups continue to work without configuration changes
  • TRUSTED_PROXIES can be set to restrict trusted proxies
  • Authentication redirects to dashboard instead of potentially malicious external URLs
  • No breaking changes for existing users

References

@jaycollett
Fix CVE-2025-50578: Host Header Injection & Open Redirect vulnerabili…
23dc3ae 
…ties

Security fixes for two vulnerabilities reported in issue linuxserver#1451:

1. Make trusted proxies configurable via TRUSTED_PROXIES env variable
2. Fix open redirect via Referer header in authentication flow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Issue & PR Tracker
Status: PRs

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaycollett