CVE-2025-32785
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | to 6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in the Pi-hole Admin Interface versions prior to 6.3. An authenticated user can inject malicious JavaScript code into the Address field in the Subscribed Lists group management section. The injected script is executed when another user navigates to the Tools section and performs a gravity database update. The root cause is that the Address field does not properly sanitize input, allowing special characters and script tags to bypass validation. This vulnerability has been fixed in version 6.3.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user to execute malicious JavaScript in the context of another user's browser session. This could lead to unauthorized actions, data theft, or session hijacking within the Pi-hole Admin Interface. The impact depends on the privileges of the affected users and the nature of the injected script.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Pi-hole Admin Interface to version 6.3 or later, as this version contains the patch that fixes the cross-site scripting vulnerability in the Address field of the Subscribed Lists group management section. Additionally, restrict authenticated user access to trusted individuals to minimize risk until the upgrade is applied.