GHSA-6g2v-66ch-6xmh
LOWLibreNMS alert-rules has a Cross-Site Scripting Vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
librenms/librenmsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Executive Summary
Product: LibreNMS
Vendor: LibreNMS
Vulnerability Type: Cross-Site Scripting (XSS)
CVSS Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
Affected Version: 25.8.0 (latest at time of discovery)
POC File: Download POC
Ticket: ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability
Vulnerability Details
Description
Trend Micro's Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.
Technical Details
Version Tested: 25.8.0
Installer File: 25.8.0.tar.gz
Download Link: https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz
Platform: N/A
Attack Vector
When browsing to Alerts > Alert Rules page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.
Root Cause Analysis
Vulnerable Request
When creating or updating an alert rule, the following HTTP POST request is sent to /ajax_form.php:
POST /ajax_form.php HTTP/1.1
...
_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx&device_id=-1&device_name=&rule_id=&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D&name=%3Ci%3Efoo%3C%2Fi%3E&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=42&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&proc=¬es=&adv_query=
Code Flow
- Request Processing: PHP script
includes/html/forms/alert-rules.inc.phpprocesses the request - Sanitization Attempt: Calls
strip_tags()to sanitize thenameparameter - Database Operation: Calls
dbUpdate()ordbInsert()to save the rule
Bypass Technique
The sanitization can be bypassed using XML character references:
<script>alert(1)</script>
Execution Path
- Page Load: Victim browses to Alerts > Alert Rules page
- Script Execution:
includes/html/print-alert/rules.phpis called - Modal Inclusion: Includes
includes/html/modal/alert_rule_list.inc.phpwhich returns HTML for modal window - Table Rendering: Modal contains HTML table with all rules and inline JavaScript calling
bootgrid()function - XSS Trigger: The
bootgrid()function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references - Code Execution: Browser interprets the decoded payload as HTML tags and executes the injected script
Proof of Concept
Usage
python3 poc.py client ip_addr -U <username> -P <password>
Optional Parameters
-E [kvp|multipart]- Specify HTTP request parameter encoding
Credit
Discovered by: Simon Humbert of Trend Research, Trend Micro
About Zero Day Initiative (ZDI)
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
References
- ZDI Website: http://www.zerodayinitiative.com
- Disclosure Policy: http://www.zerodayinitiative.com/advisories/disclosure_policy/
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | librenms/librenms | all versions | 25.10.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for librenms/librenms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update librenms/librenms to 25.10.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-6g2v-66ch-6xmh is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-6g2v-66ch-6xmh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-6g2v-66ch-6xmh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-6g2v-66ch-6xmh in your dependencies?
O3 detects GHSA-6g2v-66ch-6xmh across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.