IPFire < v2.29 Command Injection via URL Filter Blacklist

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.

AI Analysis

Command injection vulnerability in IPFire via the BE_NAME parameter when installing a blacklist, allowing arbitrary command execution as the 'nobody' user

Basic Information

ID CVE-2025-34312

Source VulnCheck

Published Oct 28, 2025 at 14:37

Modified Oct 28, 2025 at 15:17

Affected Product

Vendor IPFire.org

Product IPFire

Affected Versions IPFire.org IPFire 0

CWE Classification

CWE-78

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor IPFire.org

Product IPFire

Version < 2.29

References

{
    "lastseen": "",
    "description": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.",
    "published": "2025-10-28T14:37:47.417Z",
    "modified": "2025-10-28T15:17:00.706Z",
    "type": "cve",
    "title": "IPFire < v2.29 Command Injection via URL Filter Blacklist",
    "source": "VulnCheck",
    "references": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released\nhttps://bugzilla.ipfire.org/show_bug.cgi?id=13887\nhttps://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist",
    "id": "CVE-2025-34312",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "IPFire.org IPFire 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "IPFire",
    "version": "0",
    "vendor": "IPFire.org",
    "ai_description": "Command injection vulnerability in IPFire via the BE_NAME parameter when installing a blacklist, allowing arbitrary command execution as the 'nobody' user",
    "ai_severity": "High",
    "ai_vendor": "IPFire.org",
    "ai_product": "IPFire",
    "ai_version": "< 2.29",
    "ai_score": 8.7
}

IPFire < v2.29 Command Injection via URL Filter Blacklist_CVE-2025-34312