Directory Traversal Vulnerability in pfSense Suricata Package
CVE-2025-34176

5.3MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense Ce
Vendor
CVE Published:
9 September 2025

What is CVE-2025-34176?

A directory traversal vulnerability exists in the pfSense Suricata package due to unsanitized input in the iplist parameter within the suricata_ip_reputation.php script. This flaw allows authenticated users with 'WebCfg - Services: suricata package' permissions to potentially enumerate files on the server, as the existence of files can be checked without actually revealing their contents. This presents a security risk for sensitive file structures within the application.

Affected Version(s)

pfSense CE 7.0.8_2

References

https://github.com/pfsense/FreeBSD-ports/commit/97852ccfd...
patch
https://redmine.pfsense.org/issues/16414
issue-tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams (Pellera Technologies)
JSON
.