CVE-2025-68614
Stored XSS in LibreNMS Alert Rule API Allows HTML Injection
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | 25.12.0 |
| librenms | librenms | 25.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68614 is a stored Cross-Site Scripting (XSS) vulnerability in LibreNMS versions prior to 25.12.0. It occurs in the Alert Rule API where alert rules can be created or updated without proper sanitization of the alert rule name. The API allows injection of HTML or JavaScript code into the alert rule name, which is stored in the database. When a user later views the alert rules page, the injected code is decoded and executed in the user's browser, leading to stored XSS. This can happen because the API does not strip HTML tags from the input, unlike the web interface, and the rendering plugin decodes encoded characters, enabling script execution. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with high privileges to inject malicious HTML or JavaScript code into alert rule names via the API. When other users view the alert rules page, the injected code executes in their browsers, potentially leading to theft of session cookies, defacement, or other malicious actions within the context of the affected user's session. The impact includes low confidentiality, integrity, and availability risks, but it requires high privileges and user interaction to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting HTTP POST and PUT requests to URIs containing '/api/v0/rules' and checking if the JSON 'name' field includes the '<' character, which indicates potential HTML or script injection. For example, you can use network monitoring tools or command-line utilities like curl or tcpdump combined with grep to filter such requests. A sample command to detect suspicious API calls might be: curl -X POST -H "Content-Type: application/json" -d '{"name":"<script>alert(1)</script>"}' https://your-librenms-instance/api/v0/rules and observe if such payloads exist in your logs or traffic captures. Additionally, a proof-of-concept exploit script (poc.py) is available to test the vulnerability with appropriate parameters. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LibreNMS to version 25.12.0 or later, where the vulnerability has been patched. The patch sanitizes input fields in the alert rule API by stripping HTML tags from the 'name' and 'notes' fields before processing or displaying them, preventing HTML/script injection. Until the upgrade can be applied, restrict access to the Alert Rule API to trusted users only, and monitor API usage for suspicious inputs containing HTML tags. Applying network-level protections or intrusion prevention systems that detect and block such injection attempts can also help mitigate risk temporarily. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this stored cross-site scripting (XSS) vulnerability in LibreNMS affects compliance with common standards and regulations such as GDPR or HIPAA.