CVE-2025-34172 – This vulnerability allows reflected cross-site ... (How to Fix)

Q: What is the severity of CVE-2025-34172?

CVE-2025-34172 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows reflected cross-site scripting (XSS) attacks in pfSense CE's HAProxy statistics page. An attacker can inject malicious scripts via the showsticktablecontent parameter, which are then executed in the victim's browser when they view the page. Only authenticated users accessing the HAProxy stats page are affected.

📋 TL;DR

This vulnerability allows reflected cross-site scripting (XSS) attacks in pfSense CE's HAProxy statistics page. An attacker can inject malicious scripts via the showsticktablecontent parameter, which are then executed in the victim's browser when they view the page. Only authenticated users accessing the HAProxy stats page are affected.

💻 Affected Systems

Products:

pfSense CE

Versions: Versions prior to the fix commit 04d1328ab077830eb57a24bb7018c812b6358c64

Operating Systems: FreeBSD-based pfSense installations

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with HAProxy package installed and enabled. The vulnerability is in the HAProxy statistics page.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies or authentication tokens, potentially gaining administrative access to the pfSense firewall, leading to network compromise or data exfiltration.

🟠

Likely Case

Session hijacking where an attacker steals authenticated sessions to perform unauthorized actions within the pfSense interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially just script execution in isolated browser context.

🌐 Internet-Facing: MEDIUM - Requires victim to be authenticated, but if HAProxy stats page is internet-accessible, risk increases.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this against authenticated users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to trick an authenticated user into clicking a malicious link. The victim must have access to the HAProxy stats page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit 04d1328ab077830eb57a24bb7018c812b6358c64

Vendor Advisory: https://redmine.pfsense.org/issues/16411

Restart Required: No

Instructions:

1. Update pfSense CE to the latest version. 2. Alternatively, apply the specific patch from the GitHub commit. 3. No service restart required for the web interface fix.

🔧 Temporary Workarounds

Disable HAProxy Stats Page Access

all

Restrict access to the vulnerable HAProxy statistics page to reduce attack surface.

Modify firewall rules to block access to /usr/local/www/haproxy/haproxy_stats.php

Input Validation via Web Server

all

Implement input validation at the web server level to sanitize the showsticktablecontent parameter.

Add mod_security rules or similar WAF rules to filter malicious input

🧯 If You Can't Patch

Implement strict access controls to limit who can access the HAProxy statistics page
Deploy a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if the haproxy_stats.php file exists at /usr/local/www/haproxy/ and examine the code for proper input sanitization of the showsticktablecontent parameter.

Check Version:

pkg info pfSense | grep Version

Verify Fix Applied:

Verify that the patch from commit 04d1328ab077830eb57a24bb7018c812b6358c64 has been applied to the haproxy_stats.php file.

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests to haproxy_stats.php with script-like content in parameters
Multiple failed authentication attempts followed by access to HAProxy stats

Network Indicators:

HTTP requests containing malicious script patterns in the showsticktablecontent parameter

SIEM Query:

source="pfSense" AND uri_path="/haproxy/haproxy_stats.php" AND (param="showsticktablecontent" AND value MATCHES "<script|javascript:")

📊 Metadata

CVE ID: CVE-2025-34172

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (4.6th percentile)

Published: September 9, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/pfsense/FreeBSD-ports/commit/04d1328ab077830eb57a24bb7018c812b6358c64 Patch
https://redmine.pfsense.org/issues/16411 Issue Tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-ha-proxy-reflected-xss Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34172, you might also want to check these: