CVE-2025-53533 – Pi-hole Admin Interface versions 6.2.1 and earl... (How to Fix)

📋 TL;DR

Pi-hole Admin Interface versions 6.2.1 and earlier contain a reflected cross-site scripting (XSS) vulnerability in the 404 error page. An attacker can craft malicious URLs that execute arbitrary JavaScript in victims' browsers when they visit the link. This affects all Pi-hole administrators who access the web interface.

💻 Affected Systems

Products:

Pi-hole Admin Interface

Versions: 6.2.1 and earlier

Operating Systems: All platforms running Pi-hole

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web admin interface, not the core Pi-hole DNS functionality. Requires user interaction (clicking malicious link).

📦 What is this software?

Web Interface by Pi Hole

View all CVEs affecting Web Interface →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, takes over Pi-hole administration, modifies DNS blocking rules, or redirects network traffic to malicious sites.

🟠

Likely Case

Attacker performs session hijacking to gain unauthorized access to the Pi-hole admin interface, potentially modifying DNS settings or blocking rules.

🟢

If Mitigated

Limited impact if administrators use separate browser profiles for Pi-hole, have session timeouts configured, or access Pi-hole only from trusted networks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick victims into clicking malicious URLs. No authentication bypass needed as the vulnerability is in the 404 page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3

Vendor Advisory: https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w

Restart Required: No

Instructions:

1. Update Pi-hole web interface using: pihole -up
2. Alternatively, manually update web interface files from GitHub repository
3. Verify version shows 6.3 or higher

🔧 Temporary Workarounds

Restrict Admin Interface Access

all

Limit Pi-hole admin interface access to trusted IP addresses only using firewall rules or web server configuration.

sudo ufw allow from 192.168.1.0/24 to any port 80,443
sudo ufw deny 80,443

Use Separate Browser Profile

all

Access Pi-hole admin interface using a dedicated browser profile or private/incognito mode to limit session exposure.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
Deploy web application firewall (WAF) rules to detect and block XSS payloads in URLs

🔍 How to Verify

Check if Vulnerable:

Check Pi-hole web interface version in admin dashboard or run: pihole -v | grep 'AdminLTE'

Check Version:

pihole -v | grep 'AdminLTE'

Verify Fix Applied:

Confirm version is 6.3 or higher and test by accessing a non-existent page with test payload like /test' onload='alert(1)

📡 Detection & Monitoring

Log Indicators:

HTTP 404 errors with unusual URL patterns containing JavaScript payloads
Multiple failed page requests with suspicious characters in URLs

Network Indicators:

Unusual outbound connections from Pi-hole server after admin interface access
DNS queries to suspicious domains following admin login

SIEM Query:

source="pi-hole" AND (status=404 AND uri="*onload*" OR uri="*javascript:*" OR uri="*<script>*")

📊 Metadata

CVE ID: CVE-2025-53533

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: October 27, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53533, you might also want to check these: