Listen to this Post
How CVE-2025-47931 Works
The vulnerability exists in LibreNMS’s group management interface (`http://localhost/poller/groups`). When creating or editing a poller group, the `group name` parameter fails to sanitize user-supplied input. Attackers can inject malicious JavaScript payloads through this field, which gets stored in the database. When administrators or other privileged users view the poller groups page, the payload executes in their browser session. This allows session hijacking, credential theft, or administrative actions on behalf of the victim. The attack persists until the malicious group entry is removed.
DailyCVE Form
Platform: LibreNMS
Version: ≤25.4.0
Vulnerability: Stored XSS
Severity: Critical
Date: 05/28/2025
Prediction: Patch expected by 06/10/2025
What Undercode Say:
// Proof-of-Concept Exploit
fetch('/poller/groups', {
method: 'POST',
body: 'name=<script>alert(document.cookie)</script>&other_params=legit'
});
// Mitigation Command (until patch)
sudo sed -i "s|'name' => .|'name' => htmlspecialchars(\$value)|g" /opt/librenms/includes/html/forms/poller-groups.inc.php
// Detection Query
SELECT FROM poller_groups WHERE name REGEXP '<script|javascript:';
// Nginx WAF Rule
location ~ /poller/groups {
set $xss 0;
if ($args ~ "<script|javascript:") { set $xss 1; }
if ($xss = 1) { return 403; }
}
// PHP Sanitization Fix
$group_name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');
// Database Cleanup
UPDATE poller_groups SET name = REGEXP_REPLACE(name, '<[^>]>', '');
// Curl Verification
curl -X GET "http://librenms/poller/groups" | grep -E "<script|alert("
// SNORT Rule
alert tcp any any -> $HOME_NET 80 (msg:"LibreNMS XSS Attempt"; content:"/poller/groups"; nocase; content:"name="; nocase; pcre:"/<script[^>]>/i"; sid:1000005; rev:1;)
// Patch Verification
grep -r "htmlspecialchars" /opt/librenms/includes/html/forms/poller-groups.inc.php
// Temporary Apache .htaccess Fix
RewriteCond %{QUERY_STRING} (<|%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} javascript:.(.) [bash]
RewriteRule ^poller/groups - [bash]
// Log Analysis Command
tail -f /var/log/librenms/librenms.log | grep -E "POST /poller/groups|XSS"
// PHP.ini Hardening
sudo echo "session.cookie_httponly=1" >> /etc/php/8.2/apache2/php.ini
sudo echo "session.cookie_secure=1" >> /etc/php/8.2/apache2/php.ini
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
