#VU125387 Server-Side Request Forgery (SSRF) in Pi-hole - CVE-2024-34361
Published: April 8, 2026
Vulnerability identifier: #VU125387
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-34361
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Pi-hole
Pi-hole
Software vendor:
Pi-hole
Pi-hole
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to server-side request forgery in the gravity_DownloadBlocklistFromUrl() function when downloading blocklists from user-supplied URLs. A remote user can send a specially crafted URL using supported protocols to execute arbitrary code.
Exploitation depends on certain circumstances, including the presence of reachable internal services that can be abused through supported protocols such as gopher://.
Remediation
Install security update from vendor's website.