CVE-2025-34087

Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution

Severity Score

9.0

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

Existe una vulnerabilidad de inyección de comandos autenticados en las versiones de Pi-hole hasta la 3.3. Al añadir un dominio a la lista de permitidos mediante la interfaz web, el parámetro de dominio no se depura correctamente, lo que permite a un atacante añadir comandos del sistema operativo a la cadena de dominio. Estos comandos se ejecutan en el sistema operativo subyacente con los privilegios del usuario del servicio Pi-hole. Este comportamiento ya existía en la interfaz AdminLTE heredada y se ha corregido en versiones posteriores.

*Credits: Denis Andzakovic

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-15 CVE Reserved
2025-07-03 CVE Published
2025-07-03 CVE Updated
2025-07-03 First Exploit
2025-07-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

CAPEC-88: OS Command Injection
CAPEC-137: Parameter Injection

References (5)

URL	Tag	Source
https://pi-hole.net	Product
https://vulncheck.com/advisories/pihole-adminlte-whitelist-rce	Third Party Advisory

URL	Date	SRC
https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns	2025-07-03
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/pihole_whitelist_exec.rb	2025-07-03

URL	Date	SRC
https://github.com/pi-hole/web/releases/tag/v4.0	2025-07-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pi-hole LLC Search vendor "Pi-hole LLC"		Web Search vendor "Pi-hole LLC" for product "Web"				<= 3.3 Search vendor "Pi-hole LLC" for product "Web" and version " <= 3.3"		en		Affected