Project

General

Profile

Actions
Copy link

Bug #16715

closed

Multiple redis and sqlite vulnerabilities reported in version used for 25.11.1

Added by Kris Phillips 1 day ago. Updated 1 day ago.

Status:
Closed
Priority:
Normal
Assignee:
Christian McDonald
Category:
Operating System
Target version:
26.03
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Force Exclusion
Affected Plus Version:
25.11.1
Affected Architecture:

Description

The following vulnerabilities were reported in a Nessus security scan of pfSense Plus:

CVE-2025-49844
CVE-2025-7709
CVE-2025-62507
CVE-2025-46817

These CVEs are for redis 8.2.1 and sqlite 3.50.2, which are present in pfSense Plus 25.11.1. Whether they have any actionable needs is unknown, but the package versions in the operating system do match vulnerable versions, based on the CVE data.

Actions
Copy link
 #1

Updated by Christian McDonald 1 day ago

  • Status changed from New to In Progress
  • Assignee set to Christian McDonald
  • Target version set to 26.03
  • Affected Plus Version set to 25.11.1

The upcoming release of pfSense Plus (26.03) includes updated versions of both redis and sqlite3.

We will need to look deeper to determine if upgrading these packages in older versions of pfSense is justified.

Actions
Copy link
 #2

Updated by Christian McDonald 1 day ago

  • Status changed from In Progress to Closed

I read through these vulnerabilities and I'm not seeing any obvious threat to pfSense in a typical configuration. Redis, as configured by the ntopng package, only binds to localhost. The FTS5 vulnerability in sqlite3 again would require unauthorized access at minimum in order to perform arbitrary queries.

Actions
Copy link
 #3

Updated by Christian McDonald 1 day ago

  • Release Notes changed from Default to Force Exclusion
Actions
Copy link

Also available in: Atom PDF