How to fix EUVD-2025-19902?

Within 24 hours: Identify all affected systems running Pi-hole and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Is Command Injection affected by EUVD-2025-19902?

Organizations using Pi-hole face significant risk from CVE-2025-34087, a OS command injection vulnerability rated CVSS 8.8. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

EUVD-2025-19902

| CVE-2025-34087 HIGH

2025-07-03 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 02:12 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 02:12 euvd

EUVD-2025-19902

PoC Detected

Oct 01, 2025 - 14:08 vuln.today

Public exploit code

CVE Published

Jul 03, 2025 - 20:15 nvd

HIGH 8.8

Description

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

Analysis

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Technical Context

The web interface's allowlist functionality passes the domain parameter to shell commands for updating DNS configuration. Shell metacharacters in the domain field are not sanitized, allowing command injection. Commands execute with the pihole user's privileges, which include sudo rights for DNS management.

Affected Products

['Pi-hole <= 3.3']

Remediation

Update Pi-hole to the latest version. Use a strong admin password. Restrict Pi-hole admin interface access to trusted devices. Monitor DNS query logs for unusual resolution patterns.

Priority Score

111

Low Medium High Critical

KEV: 0

EPSS: +46.7

CVSS: +44

POC: +20

EUVD-2025-19902 vulnerability details – vuln.today

Back

EUVD-2025-19902

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-19902

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code