CVE-2025-34114

Public Exploit

OpenBlow Missing Critical Security Headers

Description

A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML <meta> tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.

References

Link	Tags
https://seclists.org/fulldisclosure/2025/Jul/13	exploit third party advisory
https://www.openblow.it	product
https://www.vulncheck.com/advisories/openblow-missing-critical-security-headers	third party advisory

Frequently Asked Questions

What is the severity of CVE-2025-34114?: CVE-2025-34114 has been scored as a high severity vulnerability.
How to fix CVE-2025-34114?: To fix CVE-2025-34114, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-34114 being actively exploited in the wild?: It is possible that CVE-2025-34114 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-34114?: CVE-2025-34114 affects Laser Romae s.r.l. OpenBlow.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions