For homelab enthusiasts and network-wide ad-blocking fans, the Pi-hole project is a cornerstone of a clean and secure browsing experience. The development team has just rolled out a significant multi-component update that delivers critical security fixes, long-awaited platform support, and major performance boosts. The Pi-hole Web 6.3 Core 6.2 release (which also includes FTL 6.3) is now available, and it’s an update you will want to apply immediately.
This isn’t just a minor patch. The new version directly addresses a “Medium” severity security flaw, hardens the web interface against future attacks, and—in a move celebrated by the lightweight container community—introduces official support for Alpine Linux. On top of that, a massive performance optimization under the hood promises to resolve long-standing “database locked” issues for many users.
Let’s break down the most important changes, starting with the critical security fix.
The Critical Pi-hole XSS Vulnerability Patch
Security is paramount for a device that inspects all your network’s DNS traffic. This update brings a vital Pi-hole XSS vulnerability patch via the new Web interface v6.3.
The vulnerability, tracked as CVE-2025-53533, was a “Reflected Cross-Site Scripting (XSS)” flaw. In simple terms, this vulnerability allowed an attacker to craft a malicious URL. If an authenticated Pi-hole administrator was tricked into clicking this link, the attacker’s malicious script could execute in the admin’s browser.
What Was the Risk?
Because the script would run within the context of the authenticated admin’s session, an attacker could potentially perform actions on their behalf. This might include changing blocklists, altering DNS settings, or disabling Pi-hole, effectively compromising the integrity of your network filter.
The vulnerability specifically lay in the 404 error page. The web interface would “reflect” the invalid URL path that was requested back to the user without properly sanitizing it first. An attacker could embed a script tag into this fake path, and the browser would execute it, thinking it was a legitimate part of the Pi-hole admin page.
The Fix: Web 6.3 and Content Security Policy (CSP)
The Pi-hole Web 6.3 update completely patches this flaw by ensuring all output is properly sanitized. But the team went a step further: they have also significantly improved the default Content Security Policy (CSP) headers.
A CSP is a modern, layered security defense that tells the browser exactly which sources are trusted to provide scripts, styles, and images. A strong CSP can prevent most XSS attacks from executing, even if a sanitization bug is missed. This two-pronged approach—fixing the bug and hardening the platform—makes the Pi-hole web interface substantially more secure.
A New Frontier: Official Pi-hole Alpine Linux Support
For years, users wanting to run Pi-hole on minimal systems had two main choices: use the official Docker container (which itself is based on Alpine) or rely on community-maintained packages and manual workarounds. Running Pi-hole on a “bare metal” ALPINE LINUX installation was not officially supported by the main installer.
With the release of Pi-hole Core v6.2, this changes completely. The project now officially includes Pi-hole Alpine Linux support.
This is fantastic news for the homelab community. Alpine Linux is an extremely lightweight, resource-efficient, and security-focused distribution. It’s the perfect choice for running a dedicated service like Pi-hole on low-power hardware (like a Raspberry Pi 1) or in a minimal virtual machine or LXC container where every megabyte of RAM counts.
This new support, detailed in the THE OFFICIAL PI-HOLE BLOG post, includes:
- Proper package management integration with
apk. - Support for the OpenRC init system used by Alpine.
- Full compatibility with the standard
pihole -upandpihole -rcommands.
This opens the door for users to create highly optimized, minimal Pi-hole instances without relying on the overhead of Docker.
How to Update to Pi-hole v6.3 / v6.2
Given the security patch, updating is highly recommended for all users. The process remains as simple as ever for standard installations.
Standard (Bare Metal) Installation
- SSH into your Pi-hole server.
- Run the single update command:
Bash
pihole -up - The script will automatically fetch the latest versions of FTL (v6.3), Web (v6.3), and Core (v6.2), apply the necessary changes, and restart the services.
- After the update, it’s always a good idea to clear your browser cache before logging into the admin interface.
You can verify the update was successful by checking the footer of your Pi-hole web interface, which should now reflect the new version numbers.
Docker Installation
If you are running Pi-hole via Docker, the update process involves pulling the new image and recreating your container.
- Pull the latest image:
Bash
docker pull pihole/pihole:latest - Stop and remove your existing Pi-hole container.
- Recreate the container using the same
docker runcommand ordocker-compose up -dfile you used for the initial setup, ensuring your persistent volumes are mapped correctly. Your settings and blocklists will be preserved as long as your volumes are managed properly.
Under the Hood: The Massive Performance Boost You Didn’t Know You Needed
Beyond the two main headlines, this Pi-hole Web 6.3 Core 6.2 release contains a powerful performance enhancement that may be the most impactful change for many users.
Previously, Pi-hole (specifically FTL) frequently used the external ip neigh show command to discover devices on the network for its ARP cache. On busy networks or in certain virtualized environments, running this external command repeatedly could cause high resource usage and lead to the dreaded “database locked” errors in the web interface, making it slow or unresponsive.
This update completely replaces that method. FTL now uses internal Netlink-based communication to get ARP cache information directly from the kernel. This is dramatically faster, more efficient, and uses far fewer resources. The result is a snappier interface, fewer errors, and a more stable experience, especially for users on complex networks.
Other notable changes include:
- Automatic TLS Certificate Renewal: The built-in web server now defaults to 47-day certificate validity and will automatically renew them before expiration.
- Updated Core Components: The release includes updated versions of
dnsmasq(v2.92test21) andSQLite3(3.50.4) for better performance and stability.
Conclusion: A More Secure, Efficient, and Versatile Pi-hole
The Pi-hole Web 6.3 Core 6.2 release is a must-have update. It patches a significant security vulnerability, hardens the web interface against future attacks, and introduces official support for Alpine Linux, a feature the lightweight server community has requested for years. The massive performance improvements from the new Netlink ARP handling are the icing on the cake, resolving stability issues for many.
This update reinforces the PI-HOLE PROJECT‘s commitment to security, performance, and platform versatility. If you run a Pi-hole instance, now is the time to run pihole -up and benefit from a more robust and responsive network-wide ad blocker.
Have you updated to the latest Pi-hole version? Are you planning to build a new instance using the official Alpine Linux support? Share your update experience and homelab plans in the comments below!
Disclaimer: Always ensure you have a backup of your Pi-hole configuration before running a major update. You can create one by navigating to Settings > Teleporter > Backup in the web interface. While the update process is highly reliable, a backup is always a good safety measure.