CVE-2025-34305 is a stored cross-site scripting (XSS) vulnerability identified in IPFire, an open-source firewall distribution, affecting versions prior to 2.29 (Core Update 198). The root cause lies in the cleanhtml() function located in /var/ipfire/header.pl, which is responsible for sanitizing user input before rendering it in the web interface. Although the function calls escape() and HTML::Entities::encode_entities() to sanitize input fields such as CLIENT_COMMENT, ADVOPT_DATA, FIX_REMARK, FIX_FILENAME, FIX_ROOTPATH, ACTION_COMMENT, and REMARK across multiple CGI scripts (wakeonlan.cgi, dhcp.cgi, connscheduler.cgi, dnsforward.cgi, vpnmain.cgi, dns.cgi), it fails to assign the sanitized output back to the variables used for rendering. Consequently, the original unsanitized input is stored and later displayed, enabling attackers to inject malicious JavaScript code that executes in the context of other authenticated users viewing the affected pages. Exploitation requires an attacker to have authenticated access to the IPFire web interface and submit crafted payloads to these endpoints. The vulnerability can be leveraged to perform actions such as session hijacking, privilege escalation within the management interface, or stealing sensitive information. The CVSS 4.0 base score of 5.1 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction beyond the attacker submitting input. No public exploits or active exploitation have been reported to date. The vulnerability affects the confidentiality and integrity of the firewall management interface and potentially the availability if leveraged in chained attacks. IPFire is widely used in small to medium enterprises and critical infrastructure environments, making this vulnerability significant for organizations relying on it for perimeter defense and network segmentation.

For European organizations, this vulnerability poses a risk to the security and integrity of their network perimeter defenses if they use IPFire as a firewall or gateway solution. Successful exploitation could allow attackers with authenticated access to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, unauthorized configuration changes, or disclosure of sensitive network information. This could undermine the firewall’s role in protecting internal networks and critical assets. Given IPFire’s popularity in small and medium enterprises and some public sector deployments across Europe, the impact could extend to disruption of business operations, compliance violations (e.g., GDPR if personal data is exposed), and increased risk of lateral movement by attackers within networks. The vulnerability’s requirement for authenticated access limits exposure to internal or trusted users, but insider threats or compromised credentials could facilitate exploitation. The lack of known exploits reduces immediate risk but should not lead to complacency. Organizations in sectors such as energy, government, healthcare, and finance, which often deploy IPFire for network security, are particularly at risk due to the criticality of their infrastructure.

Organizations should immediately upgrade IPFire to version 2.29 (Core Update 198) or later, where this vulnerability is fixed by properly assigning sanitized input back to output variables. If upgrading is not immediately feasible, administrators should restrict access to the IPFire web interface to trusted networks and users only, enforce strong authentication mechanisms, and monitor logs for suspicious input patterns or unexpected user activity. Implementing web application firewalls (WAFs) that can detect and block XSS payloads targeting the affected CGI endpoints may provide temporary protection. Regularly auditing user accounts and credentials to prevent unauthorized access is critical. Additionally, organizations should educate users with access to the firewall interface about the risks of submitting untrusted input and encourage reporting of anomalies. Network segmentation to isolate management interfaces and limiting administrative access via VPN or jump hosts can reduce the attack surface. Finally, organizations should monitor IPFire security advisories for patches and updates and apply them promptly.