Authenticated Command Injection in Pi-hole by Pi-hole
CVE-2025-34087
Key Information:
- Vendor
Pi-hole Llc
- Status
- Vendor
- CVE Published:
- 3 July 2025
Badges
What is CVE-2025-34087?
An authenticated command injection vulnerability has been identified in Pi-hole versions up to 3.3 that affects the legacy AdminLTE interface. The issue arises when users add a domain to the allowlist via the web interface. The system fails to properly sanitize the domain parameter, which allows an attacker to inject and execute arbitrary OS commands on the underlying operating system with the privileges of the Pi-hole service user. This vulnerability presents a significant risk to system integrity and can be exploited if the user interacts with specially crafted inputs. It has been addressed in later releases, reinforcing the importance of keeping software up-to-date.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Web * <= 3.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
46% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved