CVE-2019-25372 in OPNsense
Summary
by MITRE • 02/15/2026
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2019-25372 represents a critical reflected cross-site scripting flaw within OPNsense version 19.1, a popular open-source firewall and router management platform. This security weakness stems from inadequate input validation mechanisms that fail to properly sanitize user-supplied data before incorporating it into web responses. The vulnerability specifically affects the diag_traceroute.php endpoint, which processes host parameter inputs without sufficient sanitization measures, creating an exploitable condition that can be leveraged by unauthenticated attackers to execute malicious code within victim browser sessions.
The technical exploitation of this vulnerability occurs through crafted POST requests submitted to the diag_traceroute.php script, where the host parameter serves as the primary attack vector. When an attacker submits malicious input through this parameter, the web application reflects the unsanitized data back to the user's browser without proper encoding or validation, thereby enabling the execution of arbitrary JavaScript code within the context of the victim's authenticated session. This reflected XSS vulnerability operates under CWE-79, which categorizes cross-site scripting flaws as a result of insufficient input validation and output encoding. The attack vector specifically aligns with ATT&CK technique T1059.007 for JavaScript execution, demonstrating how attackers can leverage web application vulnerabilities to establish persistent malicious presence within network environments.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to potentially access sensitive administrative functions, steal session cookies, perform unauthorized actions on behalf of authenticated users, and gain deeper insights into the network infrastructure. Since the vulnerability affects an unauthenticated attack surface, it represents a significant threat vector that allows remote exploitation without requiring valid credentials. The reflected nature of the vulnerability means that successful attacks can be delivered through various means including phishing emails, compromised websites, or direct exploitation of vulnerable endpoints, making it particularly dangerous for organizations relying on OPNsense for network security. Organizations using this firewall platform face potential data breaches, privilege escalation, and unauthorized access to critical network resources.
Mitigation strategies for this vulnerability should prioritize immediate patching of affected OPNsense installations to version 19.1.10 or later, which contains the necessary fixes for the reflected XSS vulnerability. Network administrators should implement comprehensive input validation and output encoding measures across all web applications, ensuring that all user-supplied data is properly sanitized before being incorporated into web responses. Additionally, organizations should deploy web application firewalls and implement content security policies to provide additional layers of protection against similar attacks. Regular security assessments and vulnerability scanning should be conducted to identify potential weaknesses in web applications and ensure that input validation mechanisms remain effective against evolving attack techniques. The remediation process should also include monitoring for suspicious network activity and implementing proper access controls to limit the potential impact of successful exploitation attempts.