Vulnerability Description
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ipfire | Ipfire | < 2.29 |
Related Weaknesses (CWE)
References
- https://bugzilla.ipfire.org/show_bug.cgi?id=13887Issue TrackingThird Party Advisory
- https://www.ipfire.org/blog/ipfire-2-29-core-update-198-releasedRelease Notes
- https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blaThird Party Advisory
FAQ
What is CVE-2025-34312?
CVE-2025-34312 is a vulnerability with a CVSS score of 8.8 (HIGH). IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME param...
How severe is CVE-2025-34312?
CVE-2025-34312 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34312?
Check the references section above for vendor advisories and patch information. Affected products include: Ipfire Ipfire.