A stored cross-site scripting (XSS) flaw identified in IPFire 2.29’s web-based firewall interface (firewall.cgi).
Tracked as CVE-2025-50975, the vulnerability allows any authenticated administrator to inject persistent JavaScript into firewall rule parameters.
Once stored, the payload executes automatically when another administrator loads the rules page, potentially resulting in session hijacking, unauthorized actions within the interface, or even deeper network pivoting.
Key Takeaways
1. IPFire 2.29’s firewall.cgi enables admins to inject persistent JavaScript.
2. Allowing session hijacking, unauthorized actions, or further internal pivoting.
3. Upgrade; enforce input sanitization, applying strict least-privilege access.
Stored XSS Vulnerability
According to the report, IPFire’s firewall management CGI script fails to sanitize multiple user-supplied parameters before rendering them in the HTML response.
The affected fields include PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt and tgt_addr.
An attacker with high-privilege GUI access can craft a malicious rule entry such as:
Adding the payload inside the ruleremark parameter:
Upon submission, the JavaScript snippet is stored in the firewall rule set. When any administrator subsequently views https://

This simple yet potent exploit requires no social engineering beyond valid credentials, and its complexity is relatively low.
Risk Factors | Details |
Affected Products | IPFire 2.29, specifically firewall.cgi interface |
Impact | Persistent JavaScript injection (Stored XSS), unauthorized interface actions |
Exploit Prerequisites | Authenticated administrator access to firewall CGI Web GUI |
CVSS 3.1 Score | Not specified |
Mitigations
Demonstrations of the attack leverage a test instance at https://192.168.124.92:444/cgi-bin/firewall.cgi, where a GIF walkthrough illustrates payload injection and session cookie exfiltration.
Since the flaw resides in the lack of HTML escaping for multiple parameters, IPFire deployments in multi-admin environments are particularly at risk.
To mitigate the issue, all firewall.cgi parameters must be HTML-escaped or passed through a whitelisting routine.
IPFire maintainers have released version 2.29.1, which implements proper sanitation for PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr.
Limit administrative GUI access to trusted operators and networks and deploy a strict CSP header to restrict inline script execution within the firewall interface.
While other XSS variants exist in IPFire 2.29, this stored XSS path represents the most straightforward vector for real-world exploitation.
Administrators should prioritize patching and hardening their firewall management interfaces to prevent malicious JavaScript persistence and subsequent internal network compromise.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
Source link