Login Sign Up

CVE-2025-68614

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in LibreNMS allows attackers to inject malicious HTML/JavaScript into alert rule names via the API. When administrators view these alert rules, the malicious code executes in their browser session. All LibreNMS instances prior to version 25.12.0 are affected.

💻 Affected Systems

Products:
  • LibreNMS
Versions: All versions prior to 25.12.0
Operating Systems: All platforms running LibreNMS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires API access to create/update alert rules. Default installations with API enabled are vulnerable.

📦 What is this software?

Librenms by Librenms

View all CVEs affecting Librenms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as administrators, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Attackers with API access could inject malicious scripts to steal session tokens or perform limited administrative actions, potentially escalating privileges.

🟢

If Mitigated

With proper API access controls and input validation, impact is limited to authenticated users with API permissions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated API access. The vulnerability is straightforward to exploit once API credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.12.0

Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj

Restart Required: No

Instructions:

1. Backup your LibreNMS installation and database. 2. Update to version 25.12.0 or later using your preferred update method (git pull, package update, or manual download). 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Alert Rule API

all

Temporarily disable the alert rule API functionality to prevent exploitation.

Edit LibreNMS configuration to restrict API access or disable alert rule endpoints

Input Validation Filter

all

Implement custom input validation for alert rule names to strip HTML/JavaScript.

Add input sanitization in alert rule creation/update logic

🧯 If You Can't Patch

  • Restrict API access to trusted IP addresses only
  • Implement web application firewall rules to block XSS payloads in API requests

🔍 How to Verify

Check if Vulnerable:

Check if LibreNMS version is below 25.12.0 and API is enabled.

Check Version:

php includes/html/common.inc.php -v | grep 'LibreNMS'

Verify Fix Applied:

Verify version is 25.12.0 or later and test alert rule creation with XSS payloads to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual alert rule creation/modification via API
  • API requests containing HTML/JavaScript in alert rule names

Network Indicators:

  • HTTP POST requests to /api/v0/alert-rules with suspicious content

SIEM Query:

source="librenms" AND (uri_path="/api/v0/alert-rules" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-68614
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0% exploit probability (0th percentile)
Published: December 23, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68614, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)