CVE-2025-65013
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in LibreNMS allows attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited. The vulnerability affects LibreNMS instances prior to version 25.11.0, specifically through the /maps/nodeimage endpoint's Image Name parameter. Network administrators using vulnerable LibreNMS installations are at risk.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.
Likely Case
Session hijacking leading to unauthorized access to the LibreNMS dashboard, potentially allowing network reconnaissance or configuration changes.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and session management controls in place.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized and require minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.11.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 25.11.0 or later using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Clear cache: './lnms cache:clear'.
🔧 Temporary Workarounds
Input Validation Filter
linuxAdd input validation to sanitize the Image Name parameter before processing.
Modify the relevant PHP file to apply htmlspecialchars() or similar sanitization to the Image Name parameter
Web Application Firewall (WAF)
allConfigure WAF rules to block XSS payloads targeting the /maps/nodeimage endpoint.
Add WAF rule: 'SecRule REQUEST_URI "@contains /maps/nodeimage" "id:1001,phase:2,deny,status:403,msg:'XSS attempt blocked'"'
🧯 If You Can't Patch
- Restrict access to the /maps/nodeimage endpoint using network ACLs or authentication requirements.
- Implement Content Security Policy (CSP) headers to mitigate script execution impact.
🔍 How to Verify
Check if Vulnerable:
Test the /maps/nodeimage endpoint with a simple XSS payload like '<script>alert(1)</script>' in the Image Name parameter and check if it executes.Check Version:
cd /opt/librenms && git describe --tagsVerify Fix Applied:
After patching, test the same XSS payload; it should be properly encoded and not execute.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /maps/nodeimage containing script tags or JavaScript code in parameters
- Unusual user agent strings or referrer headers
Network Indicators:
- HTTP GET requests with encoded script payloads in query parameters
SIEM Query:
source="web_access.log" AND uri_path="/maps/nodeimage" AND (query="*<script*" OR query="*javascript:*")