Executive Summary

CVE-2025-68614 is a stored Cross-Site Scripting (XSS) vulnerability in LibreNMS versions prior to 25.12.0. It occurs in the Alert Rule API where alert rules can be created or updated without proper sanitization of the alert rule name. The API allows injection of HTML or JavaScript code into the alert rule name, which is stored in the database. When a user later views the alert rules page, the injected code is decoded and executed in the user's browser, leading to stored XSS. This can happen because the API does not strip HTML tags from the input, unlike the web interface, and the rendering plugin decodes encoded characters, enabling script execution. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with high privileges to inject malicious HTML or JavaScript code into alert rule names via the API. When other users view the alert rules page, the injected code executes in their browsers, potentially leading to theft of session cookies, defacement, or other malicious actions within the context of the affected user's session. The impact includes low confidentiality, integrity, and availability risks, but it requires high privileges and user interaction to exploit. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting HTTP POST and PUT requests to URIs containing '/api/v0/rules' and checking if the JSON 'name' field includes the '<' character, which indicates potential HTML or script injection. For example, you can use network monitoring tools or command-line utilities like curl or tcpdump combined with grep to filter such requests. A sample command to detect suspicious API calls might be: curl -X POST -H "Content-Type: application/json" -d '{"name":"<script>alert(1)</script>"}' https://your-librenms-instance/api/v0/rules and observe if such payloads exist in your logs or traffic captures. Additionally, a proof-of-concept exploit script (poc.py) is available to test the vulnerability with appropriate parameters. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade LibreNMS to version 25.12.0 or later, where the vulnerability has been patched. The patch sanitizes input fields in the alert rule API by stripping HTML tags from the 'name' and 'notes' fields before processing or displaying them, preventing HTML/script injection. Until the upgrade can be applied, restrict access to the Alert Rule API to trusted users only, and monitor API usage for suspicious inputs containing HTML tags. Applying network-level protections or intrusion prevention systems that detect and block such injection attempts can also help mitigate risk temporarily. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not specify how this stored cross-site scripting (XSS) vulnerability in LibreNMS affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0