Server-Side Request Forgery (SSRF) in Pi-hole - CVE-2024-34361
Published: April 8, 2026
Vulnerability identifier: #VU125387
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-34361
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pi-hole
Affected software:
Pi-hole
Pi-hole
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to server-side request forgery in the gravity_DownloadBlocklistFromUrl() function when downloading blocklists from user-supplied URLs. A remote user can send a specially crafted URL using supported protocols to execute arbitrary code.
Exploitation depends on certain circumstances, including the presence of reachable internal services that can be abused through supported protocols such as gopher://.
How to mitigate CVE-2024-34361
Install security update from vendor's website.