Cyber Resilience

CVE-2024-34361

HighPublic PoC

Published: 05 July 2024

Published
05 July 2024
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5818 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34361 is a high-severity SSRF (CWE-918) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 8.5 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Pi-hole versions prior to 5.18.3 contain a server-side request forgery vulnerability in the gravity_DownloadBlocklistFromUrl() function. The affected component is the core DNS sinkhole software that blocks unwanted content for client devices without requiring local agents. The flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 8.5.

An authenticated user with low privileges can exploit the issue over the network to force the server to issue internal requests. Under certain conditions this leads to remote command execution, granting the attacker full control over confidentiality, integrity, and availability of the Pi-hole instance.

The official GitHub security advisory GHSA-jg6g-rrj6-xfg6 and the referenced commit 2c497a9a3ea099079bbcd1eb21725b0ed54b529d state that version 5.18.3 contains the fix. The EPSS score has remained flat at 0.5818 with no material increase since disclosure.

EU & UK References

Vulnerability details

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on…

more

some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pi-hole
pi-hole
≤ 5.18.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References