CVE-2025-59151
📋 TL;DR
Pi-hole Admin Interface before version 6.3 is vulnerable to CRLF injection, allowing attackers to inject arbitrary HTTP response headers by manipulating requests to .lp files. This can lead to session fixation, cache poisoning, and bypassing browser security mechanisms. Anyone running Pi-hole Admin Interface versions before 6.3 is affected.
💻 Affected Systems
- Pi-hole Admin Interface
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete session hijacking, cache poisoning attacks affecting all users, bypass of Content Security Policy leading to XSS, and potential credential theft.
Likely Case
Session fixation attacks allowing unauthorized access to admin interface, cache poisoning affecting user experience, and weakening of browser security controls.
If Mitigated
Limited impact if Pi-hole is behind reverse proxy with proper header sanitization or if admin interface is not internet-facing.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to .lp endpoints, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3
Vendor Advisory: https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4
Restart Required: Yes
Instructions:
1. Update Pi-hole web interface: sudo pihole -up 2. Verify update completed successfully 3. Restart Pi-hole service: sudo pihole restartdns
🔧 Temporary Workarounds
Block .lp requests at reverse proxy
linuxConfigure reverse proxy (nginx/apache) to block or sanitize requests to .lp files
# nginx example: location ~ \.lp$ { deny all; }
# Apache example: <Files "*.lp"> Require all denied </Files>
Restrict admin interface access
linuxLimit access to Pi-hole admin interface using firewall rules or network segmentation
# Example iptables rule: sudo iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Place Pi-hole admin interface behind authenticated reverse proxy with header sanitization
- Disable admin web interface and use CLI management only
🔍 How to Verify
Check if Vulnerable:
Check Pi-hole web interface version via admin panel or run: pihole -v | grep 'Web Interface'Check Version:
pihole -v | grep 'Web Interface'Verify Fix Applied:
Confirm version is 6.3 or higher: pihole -v | grep 'Web Interface' should show 'v6.3' or later📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing %0d%0a sequences
- Requests to .lp files with unusual parameters
- Unexpected HTTP response headers in logs
Network Indicators:
- HTTP traffic to Pi-hole admin port with CRLF sequences
- Multiple rapid requests to .lp endpoints
SIEM Query:
source="pi-hole.log" AND ("%0d%0a" OR ".lp" AND NOT "static/")