CVE-2025-34314
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript into time constraint rules. When other users view these rules in the web interface, the scripts execute in their browser context. This affects all IPFire installations running versions before 2.29 Core Update 198.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could perform session hijacking, modify firewall rules, or exfiltrate sensitive configuration data from other users' sessions.
If Mitigated
With proper access controls limiting authenticated users, impact is reduced to privilege escalation among existing users rather than external compromise.
🎯 Exploit Status
Exploitation requires authenticated access to create time constraint rules; no public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 Core Update 198
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict authenticated user access
allLimit which users can create time constraint rules to trusted administrators only.
Disable URL filtering if not needed
allRemove URL filtering functionality to eliminate the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict access controls to limit who can create/modify time constraint rules
- Monitor for suspicious POST requests to /cgi-bin/urlfilter.cgi with MODE=TIMECONSTRAINT
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version shows 2.29 (Core Update 198) or later; test that SRC/DST/COMMENT parameters in time constraint rules are properly HTML-encoded.📡 Detection & Monitoring
Log Indicators:
- POST requests to /cgi-bin/urlfilter.cgi with MODE=TIMECONSTRAINT containing script tags or JavaScript in parameters
Network Indicators:
- Unusual outbound connections from IPFire web interface to external domains
SIEM Query:
web_access_logs WHERE url_path='/cgi-bin/urlfilter.cgi' AND method='POST' AND params CONTAINS 'MODE=TIMECONSTRAINT' AND (params CONTAINS '<script' OR params CONTAINS 'javascript:')