CVE-2025-34312

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description IPFire versions prior to 2.29 (Core Update 198) contain a command injection issue. An authenticated attacker can execute arbitrary commands as the 'nobody' user. This occurs through the BE NAME parameter when installing a blacklist. The application sends an HTTP POST request to the /cgi-bin/urlfilter.cgi endpoint and incorporates the value of BE NAME directly into a shell command without proper sanitization. This allows for the injection of shell metacharacters, leading to arbitrary command execution with 'nobody' user privileges.

Recommendations Update IPFire to version 2.29 (Core Update 198) or later.