CVE-2025-32785 – This vulnerability allows authenticated Pi-hole... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated Pi-hole users to inject malicious JavaScript into the Address field when managing subscribed lists. When another user performs a gravity database update, the malicious script executes in their browser session. This affects all Pi-hole installations running web interface versions before 6.3.

💻 Affected Systems

Products:

Pi-hole Admin Interface

Versions: All versions prior to 6.3

Operating Systems: All platforms running Pi-hole

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the web interface. Pi-hole installations with default authentication enabled are vulnerable.

📦 What is this software?

Web Interface by Pi Hole

View all CVEs affecting Web Interface →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious user could steal admin session cookies, perform actions as the admin, or redirect users to malicious sites, potentially compromising the entire Pi-hole configuration.

🟠

Likely Case

An authenticated user with limited privileges could escalate privileges by stealing admin session tokens or performing unauthorized actions within the Pi-hole interface.

🟢

If Mitigated

With proper access controls limiting authenticated users and regular patching, impact is limited to potential session hijacking between authenticated users.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to the web interface and another user performing a gravity update. The vulnerability is stored XSS that triggers on specific admin actions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3

Vendor Advisory: https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5

Restart Required: No

Instructions:

1. Update Pi-hole web interface to version 6.3 or later using: pihole -up
2. Verify update completed successfully
3. No service restart required - changes take effect immediately

🔧 Temporary Workarounds

Restrict User Access

all

Limit authenticated user access to only trusted administrators until patching can be completed.

🧯 If You Can't Patch

Disable non-admin user accounts and restrict web interface access to trusted administrators only
Implement network segmentation to isolate Pi-hole management interface from general user access

🔍 How to Verify

Check if Vulnerable:

Check Pi-hole web interface version via Admin Interface → Settings → System tab, or run: pihole -v | grep 'AdminLTE'

Check Version:

pihole -v | grep 'AdminLTE'

Verify Fix Applied:

Confirm AdminLTE version is 6.3 or higher using: pihole -v | grep 'AdminLTE'

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in gravity update logs
Multiple failed authentication attempts followed by list management actions

Network Indicators:

Unusual outbound connections from Pi-hole server after gravity updates
Suspicious JavaScript in HTTP POST requests to list management endpoints

SIEM Query:

source="pi-hole" AND ("gravity update" OR "list management") AND ("script" OR "javascript" OR "<script>")

📊 Metadata

CVE ID: CVE-2025-32785

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: October 27, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/pi-hole/web/security/advisories/GHSA-7w6h-3gwc-qhq5 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32785, you might also want to check these: