CVE-2025-34429

Name of the Vulnerable Software and Affected Versions 1Panel versions 1.10.33 through 2.0.15

Description The software contains a cross-site request forgery (CSRF) issue in the web port configuration functionality. The port-change endpoint does not have CSRF protections, such as anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that submits a port-change request. If a user visits this webpage while logged in, their browser sends valid session cookies, allowing the request to succeed. This enables an attacker to modify the port the 1Panel web service uses, potentially disrupting service or causing a denial of service, and possibly exposing the service on a port selected by the attacker.

Recommendations Update 1Panel to a version later than 2.0.15.