Authenticated Command Injection in Pi-hole by Pi-hole
CVE-2025-34087
Key Information:
- Vendor
Pi-hole Llc
- Status
- Vendor
- CVE Published:
- 3 July 2025
Badges
What is CVE-2025-34087?
An authenticated command injection vulnerability has been identified in Pi-hole versions up to 3.3 that affects the legacy AdminLTE interface. The issue arises when users add a domain to the allowlist via the web interface. The system fails to properly sanitize the domain parameter, which allows an attacker to inject and execute arbitrary OS commands on the underlying operating system with the privileges of the Pi-hole service user. This vulnerability presents a significant risk to system integrity and can be exploited if the user interacts with specially crafted inputs. It has been addressed in later releases, reinforcing the importance of keeping software up-to-date.
Affected Version(s)
Web * <= 3.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved