CVE-2025-34429 — Vulnetix

CVE-2025-34429 PUBLISHED CVSS 7 HIGH

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port.

EPSS 0.04% · 12.9th percentile

Risk Scores

CVSS v4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.04%

12.9th percentile

Affected Products

Vendor	Product	Versions
fit2cloud	1panel	1.10.33, 1.10.33-lts
LXware	1Panel	1.10.33
github.com	1Panel-dev/1Panel	1.10.33

Timeline

Dec 10, 2025 CVE Published
Dec 11, 2025 EPSS Score
Dec 15, 2025 EPSS Score
Dec 19, 2025 EPSS Score
Dec 23, 2025 CVE Updated
Dec 23, 2025 EPSS Score
Dec 27, 2025 EPSS Score
Jan 1, 2026 EPSS Score
Jan 5, 2026 EPSS Score
Jan 9, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 17, 2026 EPSS Score

References

https://github.com/1Panel-dev/1Panel/releases url
https://1panel.pro/ url
https://www.vulncheck.com/advisories/1panel-csrf-web-port-configuration-change third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-34429 advisory
https://1panel.pro url
https://github.com/1Panel-dev/1Panel package

Open in Interactive Console →