CVE-2025-1742 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-1742?

CVE-2025-1742 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts via the 'page_name' parameter in PiHome's /home.php file, leading to cross-site scripting (XSS). It affects PiHome 2.0 installations, potentially compromising user sessions and data. The vulnerability can be exploited remotely without authentication.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts via the 'page_name' parameter in PiHome's /home.php file, leading to cross-site scripting (XSS). It affects PiHome 2.0 installations, potentially compromising user sessions and data. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

pihome-shc PiHome

Versions: 2.0

Operating Systems: Linux (Raspberry Pi OS)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects installations where PiHome is accessible via web interface. The specific vulnerable component is the /home.php file with the page_name parameter.

📦 What is this software?

Maxair by Pihome

View all CVEs affecting Maxair →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full account compromise.

🟠

Likely Case

Attackers inject malicious scripts that steal session tokens or credentials from users who visit the vulnerable page, leading to unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to attacks from within the network, though the attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists on GitHub. Exploitation requires minimal technical skill as it involves simple parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

linux

Implement server-side input validation to sanitize the page_name parameter, rejecting or encoding special characters.

Modify /home.php to add: $page_name = htmlspecialchars($_GET['page_name'], ENT_QUOTES, 'UTF-8');

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to block malicious requests targeting the page_name parameter.

🧯 If You Can't Patch

Isolate PiHome instance behind a reverse proxy with strict input filtering.
Disable or restrict access to the /home.php endpoint if not essential.

🔍 How to Verify

Check if Vulnerable:

Test by accessing /home.php?page_name=<script>alert('XSS')</script> and checking if script executes in browser.

Check Version:

Check PiHome version in web interface or configuration files; typically shown in admin panel or footer.

Verify Fix Applied:

After applying workarounds, retest with the same payload; script should not execute and input should be properly encoded.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /home.php with suspicious parameters containing script tags or JavaScript code in page_name.

Network Indicators:

Unusual traffic patterns to /home.php endpoint with encoded or obfuscated payloads.

SIEM Query:

source="web_logs" AND uri_path="/home.php" AND query_string="*page_name=*script*"

📊 Metadata

CVE ID: CVE-2025-1742

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (26.2th percentile)

Published: February 27, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/janssensjelle/published-pocs/blob/main/pihomehvac_xss_home.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.297830 Permissions Required,VDB Entry
https://vuldb.com/?id.297830 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.502501 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1742, you might also want to check these: