CVE-2025-68614

CVE-2025-68614 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 25.12.0. It is fixed in 25.12.0.

Summary

Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/IQCfcnOE5ykQSb6Fm-HFI872AZ_zeIJxU-3aDk0jh_eX_NE?e=zkN76d

ZDI-CAN-28575: LibreNMS Alert Rule API Cross-Site Scripting Vulnerability

-- CVSS -----------------------------------------

4.3: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
LibreNMS - LibreNMS

-- VULNERABILITY DETAILS ------------------------

  • Version tested: 25.10.0
  • Installer file: NA
  • Platform tested: NA

Analysis

LibreNMS Alert Rule API Stored Cross-Site Scripting

Overview

Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code.

Affected versions

The latest version at the time of writing (25.10.0) is vulnerable.

Root cause

When an alert rule is created or updated via the API, function add_edit_rule() in includes/html/api_functions.inc.php is called to add/update the entry in the database. When an alert rule is created via the web interface, HTML tags are stripped from the rule name, however this is not the case when using the API.

As such, it is possible to create an alert rule where the name is:

<script>alert(1)</script>

Later, when a victim browses to the Alerts > Alert Rule page, PHP script\xc2\xa0includes/html/print-alert/rules.php\xc2\xa0is called. It notably includes the file\xc2\xa0includes/html/modal/alert_rule_list.inc.php, which returns HTML code for a modal window that searches alert rules.

The modal window includes an HTML table with all rules, including their name, and an inline JavaScript that calls the\xc2\xa0bootgrid()\xc2\xa0function (http://www.jquery-bootgrid.com/) for styling and enhancing the table.

alert_rule.list.inc.php sanitizes the rule name with the function e() before including it in the table, which XML encodes all special characters. However the\xc2\xa0bootgrid()\xc2\xa0function rewrites the table cells content when enhancing the table, and as a side effect, XML character references are decoded. After the script updated the table, the browser now interprets the payload as HTML tags and includes the code to the DOM.

Detection guidance

  • inspect HTTP POST and PUT requests to a Request-URI that includes the string\xc2\xa0/api/v0/rules
  • check if the\xc2\xa0name\xc2\xa0JSON value includes a < character

PoC

The proof-of-concept can be run as such:

python3 poc.py ip_addr -T <token>

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Simon Humbert of Trend Research of Trend Micro

-- FURTHER DETAILS ------------------------------

Supporting files:

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
[email protected]

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Impact

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2025-68614 has a CVSS score of 4.3 (Medium). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (25.12.0); upgrading removes the vulnerable code path.

Affected versions

librenms/librenms (< 25.12.0)

Security releases

librenms/librenms → 25.12.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade librenms/librenms to 25.12.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-68614? CVE-2025-68614 is a medium-severity cross-site scripting (XSS) vulnerability in librenms/librenms (composer), affecting versions < 25.12.0. It is fixed in 25.12.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2025-68614? CVE-2025-68614 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of librenms/librenms are affected by CVE-2025-68614? librenms/librenms (composer) versions < 25.12.0 is affected.
  4. Is there a fix for CVE-2025-68614? Yes. CVE-2025-68614 is fixed in 25.12.0. Upgrade to this version or later.
  5. Is CVE-2025-68614 exploitable, and should I be worried? Whether CVE-2025-68614 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-68614 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-68614? Upgrade librenms/librenms to 25.12.0 or later.

Other vulnerabilities in librenms/librenms

CVE-2026-6204CVE-2026-26990CVE-2026-26989CVE-2026-26988CVE-2026-27016

Stop the waste.
Protect your environment with Kodem.