CVE-2025-34305 is a stored cross-site scripting (XSS) vulnerability identified in IPFire, an open-source firewall distribution widely used for network security. The vulnerability exists in versions prior to 2.29 (Core Update 198) due to a bug in the cleanhtml() function located in /var/ipfire/header.pl. This function is intended to sanitize user input by applying HTML entity encoding to prevent script injection. However, while the code calls escape() and HTML::Entities::encode_entities(), it fails to assign the sanitized output back to the variable that is stored and later rendered. Consequently, unsanitized user input is stored in various CGI scripts such as wakeonlan.cgi, dhcp.cgi, connscheduler.cgi, dnsforward.cgi, vpnmain.cgi, and dns.cgi. These endpoints accept POST requests with parameters like CLIENT_COMMENT, ADVOPT_DATA, REMARK, and others. When other authenticated users view these stored values via the web interface, the malicious scripts execute in their browsers, enabling cross-site scripting attacks. The vulnerability requires the attacker to have authenticated access to submit malicious input, and some user interaction is necessary for the payload to execute. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction beyond viewing the affected page. The vulnerability impacts confidentiality and integrity by allowing script execution that could lead to session hijacking, credential theft, or unauthorized actions within the IPFire management interface. No public exploits are currently known, but the flaw poses a risk to environments relying on IPFire for perimeter defense and network management.

For European organizations, the impact of this vulnerability can be significant, especially for those using IPFire as a critical network security appliance. Successful exploitation could allow attackers with authenticated access to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, theft of administrative credentials, or unauthorized configuration changes. This undermines the confidentiality and integrity of the firewall management interface, potentially compromising the entire network security posture. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on IPFire for secure network operations are particularly at risk. Additionally, since IPFire is often used in small to medium enterprises and branch offices, attackers could leverage this vulnerability to pivot into larger corporate networks. The requirement for authentication limits exposure somewhat, but insider threats or compromised credentials could facilitate exploitation. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

European organizations should immediately verify their IPFire version and upgrade to version 2.29 (Core Update 198) or later where this vulnerability is fixed. If upgrading is not immediately feasible, administrators should restrict access to the IPFire web interface to trusted networks and users only, employing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly audit user accounts and permissions to minimize the number of users who can submit data to the vulnerable endpoints. Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the affected CGI scripts. Additionally, monitor logs for unusual POST requests to the vulnerable endpoints and for unexpected script execution behaviors. Educate users with access to the IPFire interface about the risks of XSS and the importance of not clicking on suspicious links or submitting untrusted input. Finally, maintain a robust patch management process to ensure timely application of security updates.