Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    how to fix CVE-2025-1647

    Scheduled Pinned Locked Moved webGUI
    4 Posts 3 Posters 271 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gate123
      last edited by

      How do we fix the vulnerability from the latest of pfsense?
      It is using bootstrap 3.4.1 and reach the EOL.

      chpalmerC 1 Reply Last reply Reply Quote 0
      • chpalmerC Offline
        chpalmer @gate123
        last edited by chpalmer

        @gate123

        From the Googley AI.. which to me is just common sense anyways..

        General Advice: To reduce risk, limit access to the pfSense WebGui to trusted networks only and minimize the use of non-essential third-party packages that might expose vulnerable frontend components.

        Have you installed the "Patches" package?

        Triggering snowflakes one by one..
        Primary- Intel(R) Pentium(R) CPU G4400 @ 3.30GHz on an M470 WG box. pfSense+
        Lab Unit- Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box. pfSense CE 2.8.1

        1 Reply Last reply Reply Quote 0
        • G Offline
          gate123
          last edited by

          We are using the latest 2.8.1 PFSense and found the older bootstrap javascript during vulnerability assessment.

          Do we still have to patch? Any idea what are the steps to patch it to the latest bootstrap 5.0?

          1 Reply Last reply Reply Quote 0
          • R Offline
            RianKellyIT
            last edited by

            ~~CVE-2025-1647 is an XSS vulnerability in Bootstrap 3.x's data-template attribute in Tooltip and Popover components. The severity in pfSense's specific context is worth understanding before deciding how to respond.

            The risk in pfSense is significantly lower than the CVE score suggests for a few reasons:

            • The pfSense WebGUI uses Bootstrap tooltips and popovers, but the data-template values are set by Netgate's own PHP code, not by user-supplied input in most cases
            • If your WebGUI is only accessible from trusted internal networks (as it should be), the attack surface is limited to already-authenticated administrators

            That said, for a vulnerability assessment the finding is legitimate since Bootstrap 3.4.1 is documented as EOL and carrying this CVE.

            What you can actually do:

            1. Upgrade to pfSense Plus 26.03 if you're on CE 2.8.1 and eligible. Netgate has been updating frontend dependencies in the Plus track. Check the release notes to see if Bootstrap was updated.

            2. For pfSense CE: there is no supported path to manually upgrade Bootstrap without breaking the webGUI, since the templates are tightly coupled to Bootstrap 3's API. Manually replacing bootstrap.min.js with a 5.x version will break the UI.

            3. Mitigation for your assessment: document that WebGUI access is restricted to trusted management networks/VLANs only. This is the standard accepted mitigation for bootstrap-in-admin-UI findings. Most security auditors accept this with a network diagram showing access controls.

            4. The "Patches" package chpalmer mentioned can apply unofficial fixes, but there is no community-maintained patch specifically for CVE-2025-1647 at the moment.

            If you're stuck on CE 2.8.1 with a hard requirement to remediate, the only fully clean path is migrating to pfSense Plus where Netgate controls the update cadence.
            ~~

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.