Cross-Site Request Forgery Vulnerability in 1Panel by 1Panel-dev
CVE-2025-34429

7HIGH

Key Information:

Vendor

Lxware

Status
1panel
Vendor
CVE Published:
10 December 2025

What is CVE-2025-34429?

The web port configuration of 1Panel versions 1.10.33 to 2.0.15 contains a security vulnerability that allows for Cross-Site Request Forgery (CSRF). The absence of CSRF defenses such as anti-CSRF tokens or proper validation checks can enable an attacker to craft a malicious webpage. When an authenticated user visits this page, their browser may unknowingly send a port change request, leveraging valid session cookies. This manipulation can alter the port on which the 1Panel web service operates, potentially disrupting service and removing access to the original port, which may expose the service on an unauthorized port.

Affected Version(s)

1Panel 1.10.33 <= 2.0.15

References

https://github.com/1Panel-dev/1Panel/releases
product
https://1panel.pro/
product
https://www.vulncheck.com/advisories/1panel-csrf-web-port...
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

av01t3x
JSON
.