Listen to this Post
How the CVE Works
The CVE-2025-XXXX vulnerability in LibreNMS v25.4.0 exists in the poller group name parameter handling. When distributed polling is enabled, the application fails to properly sanitize user-supplied input in the group name field at /poller/groups. This allows attackers to inject malicious JavaScript payloads that get permanently stored in the system. When administrators or other privileged users view the poller groups page, the script executes in their browser context, enabling session hijacking, account takeover, or administrative actions on behalf of the victim. The vulnerability stems from missing output encoding in the `addhost.inc.php` file where group names are rendered without proper HTML entity escaping.
Platform: LibreNMS
Version: 25.4.0
Vulnerability: Stored XSS
Severity: Critical
date: 2025-05-17
What Undercode Say:
Analytics:
- Attack Vector: Web-based
- Complexity: Low
- Privilege Required: None
- User Interaction: Required
- Scope: Changed
Exploit Commands:
curl -X POST 'http://target/poller/groups' -d "group_name=<script>alert(1)</script>"
fetch('/poller/groups', {
method: 'POST',
body: 'group_name=<img src=x onerror=stealCookies()>'
});
Protection Commands:
Immediate mitigation: sudo sed -i "s/echo \$group/echo htmlspecialchars(\$group)/g" /opt/librenms/includes/html/pages/addhost.inc.php
-- Database cleanup for existing attacks: UPDATE poller_groups SET group_name = REPLACE(group_name, '<script>', '');
Detection Code:
import requests
def check_xss(url):
test_payload = "<svg/onload=alert(1)>"
r = requests.post(url+'/poller/groups', data={'group_name': test_payload})
return test_payload in r.text
Patch Code:
// Fixed code for addhost.inc.php - echo $group; + echo htmlspecialchars($group, ENT_QUOTES, 'UTF-8');
Upgrade Command:
cd /opt/librenms && git pull && ./validate.php
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
