CVE-2025-34311

HIGH

IPFire < 2.29 - Authenticated OS Command Injection via Proxy Report Parameters

Title source: llm

Description

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.

References (3)

Core 3

Core References

Release Notes vendor-advisory patch

https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released

Issue Tracking, Third Party Advisory issue-tracking

https://bugzilla.ipfire.org/show_bug.cgi?id=13886

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation

Scores

CVSS v3 8.8

EPSS 0.1265

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

ipfire/ipfire 2.29 core_update183 (15 CPE variants)

ipfire/ipfire < 2.29

Published Oct 28, 2025

Tracked Since Feb 18, 2026