CVE-2025-34302 is a stored cross-site scripting (XSS) vulnerability identified in IPFire, an open-source firewall distribution widely used for network security. The flaw exists in versions prior to 2.29 (Core Update 198) and is triggered when an authenticated user creates a new service entry via the web interface. Specifically, the vulnerability lies in the handling of the PROT parameter, which specifies the protocol type during service creation. The application accepts this parameter via an HTTP POST request with ACTION=saveservice, but fails to properly sanitize or encode the input before storing and later rendering it in the web interface. Consequently, an attacker with valid credentials can inject arbitrary JavaScript code into the PROT parameter. When other users view the affected service entry, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or unauthorized actions within the IPFire management interface. The vulnerability requires authentication to exploit but does not require additional user interaction beyond viewing the injected content. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), partial user interaction (UI:P), and limited scope impact (S:L). No known public exploits have been reported yet, but the stored nature of the XSS increases the risk of persistent attacks within affected environments.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of the IPFire management interface. Successful exploitation could allow attackers to execute arbitrary scripts in the context of legitimate users, potentially leading to session hijacking, unauthorized configuration changes, or disclosure of sensitive network security information. Since IPFire is often deployed at network perimeters or critical infrastructure points, compromise could facilitate lateral movement or weaken overall network defenses. The requirement for authentication limits exposure to insider threats or attackers who have obtained credentials, but the stored nature of the XSS means that multiple users could be affected once the malicious payload is injected. Organizations relying on IPFire for firewalling or VPN services should consider the impact on operational continuity and data protection, especially in sectors with strict regulatory requirements such as finance, healthcare, and government within Europe.

To mitigate CVE-2025-34302, organizations should prioritize upgrading IPFire installations to version 2.29 (Core Update 198) or later, where the vulnerability is addressed. If immediate patching is not feasible, administrators should restrict access to the IPFire web interface to trusted networks and users only, minimizing the risk of unauthorized authenticated access. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the likelihood of credential compromise. Regularly audit service entries and remove any suspicious or unexpected entries that could contain injected scripts. Employ web application firewalls (WAFs) or reverse proxies with XSS filtering capabilities to detect and block malicious payloads targeting the PROT parameter. Additionally, educate administrators and users about the risks of stored XSS and encourage cautious behavior when interacting with the IPFire management interface. Monitoring logs for unusual POST requests or changes to service configurations can help detect exploitation attempts early.