CVE-2024-28247 in pi-hole
Summary
by MITRE • 03/27/2024
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. This vulnerability is fixed by 5.18.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/10/2025
The vulnerability identified as CVE-2024-28247 affects Pi-hole, a widely deployed DNS sinkhole solution that operates as a network-level ad blocker without requiring client-side installations. This security flaw represents a critical privilege escalation and information disclosure vulnerability that allows authenticated users to access arbitrary internal server files through a flaw in the advertisement list update mechanism. The vulnerability specifically impacts the local file update functionality where Pi-hole processes advertisement lists from local filesystem locations, creating a path for unauthorized file reading that operates with elevated privileges due to the application's server-side execution context.
The technical implementation of this vulnerability stems from improper input validation within the advertisement list update process, particularly when handling files that begin with the "file://" protocol prefix. When Pi-hole processes local files through this mechanism, it fails to properly sanitize or restrict file access paths, allowing malicious input to traverse the filesystem and read sensitive files. The vulnerability manifests when non-domain lines are encountered during the processing of local advertisement lists, as the system prints up to five non-domain lines to the screen, effectively leaking file contents to authenticated users who can exploit this behavior to read arbitrary server files.
This vulnerability directly maps to CWE-22 Improper Limitation of a Pathname to a Restricted Directory and CWE-200 Exposure of Sensitive Information, both of which are fundamental security principles that address path traversal and information disclosure issues. The attack vector operates through the Pi-hole's update mechanism where authenticated users can manipulate the advertisement list sources to include local file paths, enabling them to read system files that contain sensitive information such as configuration data, authentication credentials, or system logs. The vulnerability's severity is amplified by the fact that the application executes with privileged permissions, meaning any file reading capability translates into elevated access to system resources.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a potential attack surface for privilege escalation and further exploitation. An authenticated attacker could leverage this vulnerability to extract system configuration files, database credentials, or other sensitive data that could be used for additional attacks or to gain deeper system access. The vulnerability affects versions prior to 5.18 and represents a significant security regression in the Pi-hole application's access control mechanisms. The fix implemented in version 5.18 addresses the core issue by introducing proper file path validation and restriction mechanisms that prevent arbitrary file reading through the local update functionality.
Organizations using Pi-hole deployments should immediately implement mitigations including upgrading to version 5.18 or later, reviewing and restricting user permissions for Pi-hole management interfaces, and implementing network-level controls to limit access to the Pi-hole administration panel. The vulnerability demonstrates the importance of proper input validation and privilege separation in network security appliances, particularly those that operate with elevated system privileges. Security monitoring should include detection of unusual file reading patterns or access attempts to sensitive system paths that might indicate exploitation attempts. This vulnerability also highlights the need for comprehensive security testing of file handling mechanisms in network infrastructure tools, particularly those that process external input through potentially unsafe pathways.
The ATT&CK framework categorizes this vulnerability under T1083 File and Directory Discovery and T1566 Phishing with Social Engineering, as the attack requires authentication but provides extensive file access capabilities that could enable further reconnaissance and exploitation. Organizations should implement principle of least privilege for Pi-hole management interfaces and consider additional authentication layers such as two-factor authentication to reduce the risk of unauthorized access to the vulnerable functionality. Regular security audits of network infrastructure tools should include assessment of file handling mechanisms and path traversal vulnerabilities, particularly in applications that process user-provided data through system-level operations.