IPFire Firewall Admin Interface Vulnerability Enables Persistent JavaScript Injection

A newly disclosed vulnerability, tracked as CVE-2025-50975, exposes administrators of IPFire 2.29 to persistent cross-site scripting (XSS) attacks via its web-based firewall interface (firewall.cgi).

By failing to sanitize multiple rule parameters, the firewall interface allows an authenticated high-privilege user to inject malicious JavaScript that executes whenever another administrator views the firewall rules page.

The simplicity of exploitation and the persistent nature of the injection make this flaw particularly alarming for organizations relying on IPFire for perimeter defense.

Vulnerability Details and Impact

The vulnerability resides in the handling of several firewall rule parameters within firewall.cgi, including PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr.

None of these fields undergo proper input validation or output encoding, enabling an attacker with GUI access to embed a stored XSS payload.

Once injected, the malicious script runs in the context of any administrator’s session when they load the rules interface.

Because the malicious code executes in the administrator’s browser, it can:

• Steal authentication cookies or session tokens, leading to full session hijacking.
• Perform unauthorized changes to firewall rules or other configuration settings.
• Pivot internally by using the administrator’s elevated privileges to access additional systems.
• Implant further backdoors or launch additional attacks under the guise of a legitimate administrator.

The attack complexity is low and requires no special network positioning beyond GUI login.

An attacker can demonstrate the flaw with a simple proof-of-concept, as shown in a public demo GIF hosted on GitHub.

Parameter	Description
PROT	Protocol field for firewall rule
SRC_PORT	Source port specification
TGT_PORT	Target port specification
dnatport	Destination NAT port
key	Internal rule identifier
ruleremark	Administrator’s comment field
src_addr	Source IP address or network
std_net_tgt	Standard network target designation
tgt_addr	Target IP address or network

Mitigation and Recommendations

IPFire maintainers have released an updated version addressing this issue by implementing rigorous input validation and output sanitization across all rule parameters in the firewall interface.

Administrators are strongly advised to upgrade to the patched release of IPFire 2.29 immediately to prevent exploitation. Until the update is applied, organizations should adopt the following temporary mitigations:

1. Restrict web-GUI access to a minimal set of trusted hosts via network ACLs or VPN.
2. Enforce multi-factor authentication (MFA) for GUI logins to reduce the risk of credential compromise.
3. Monitor firewall logs and web access logs for suspicious POST requests or unusual parameter values.
4. Review existing firewall rules for unexpected JavaScript snippets or malformed entries.
5. Educate administrators about XSS risks and encourage secure handling of GUI sessions.

Given the low barrier to exploitation and severe consequences—including full administrative takeover and potential internal pivoting—this vulnerability must be remediated without delay.

Administrators are encouraged to verify the integrity of firewall rule configurations and apply the official patch to safeguard against persistent XSS attacks in IPFire 2.29.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post IPFire Firewall Admin Interface Vulnerability Enables Persistent JavaScript Injection appeared first on Cyber Security News.