3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62412

GHSA ID

GHSA-6g2v-66ch-6xmh

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62412

CVE-2025-62412: LibreNMS alert-rules has a Cross-Site Scripting Vulnerability

Executive Summary

Product: LibreNMS
Vendor: LibreNMS
Vulnerability Type: Cross-Site Scripting (XSS)
CVSS Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
Affected Version: 25.8.0 (latest at time of discovery)
POC File: Download POC Ticket: ZDI-CAN-28105: LibreNMS Alert Rules Cross-Site Scripting Vulnerability

Vulnerability Details

Description

Trend Micro's Zero Day Initiative has identified a Cross-Site Scripting vulnerability in LibreNMS. The vulnerability exists in the Alert Rules functionality where the alert rule name is not properly sanitized, allowing injection of HTML code.

Technical Details

Version Tested: 25.8.0
Installer File: 25.8.0.tar.gz
Download Link: https://github.com/librenms/librenms/archive/refs/tags/25.8.0.tar.gz
Platform: N/A

Attack Vector

When browsing to Alerts > Alert Rules page, a LibreNMS admin can add and manage alert rules. The alert rule name field is vulnerable to XSS attacks through improper sanitization.

Root Cause Analysis

Vulnerable Request

When creating or updating an alert rule, the following HTTP POST request is sent to /ajax_form.php:

POST /ajax_form.php HTTP/1.1
...

_token=9YjTntCuMIe2ujpumwqJQoENRXUhJzlDt33Xu7kx&device_id=-1&device_name=&rule_id=&type=alert-rules&template_id=&builder_json=%7B%22condition%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22id%22%3A%22access_points.accesspoint_id%22%2C%22field%22%3A%22access_points.accesspoint_id%22%2C%22type%22%3A%22string%22%2C%22input%22%3A%22text%22%2C%22operator%22%3A%22equal%22%2C%22value%22%3A%2242%22%7D%5D%2C%22valid%22%3Atrue%7D&name=%3Ci%3Efoo%3C%2Fi%3E&builder_rule_0_filter=access_points.accesspoint_id&builder_rule_0_operator=equal&builder_rule_0_value_0=42&severity=warning&count=1&delay=1m&interval=5m&recovery=on&acknowledgement=on&proc=&notes=&adv_query=

Code Flow

Request Processing: PHP script includes/html/forms/alert-rules.inc.php processes the request
Sanitization Attempt: Calls strip_tags() to sanitize the name parameter
Database Operation: Calls dbUpdate() or dbInsert() to save the rule

Bypass Technique

The sanitization can be bypassed using XML character references:

&lt;script>alert(1)&lt;/script>

Execution Path

Page Load: Victim browses to Alerts > Alert Rules page
Script Execution: includes/html/print-alert/rules.php is called
Modal Inclusion: Includes includes/html/modal/alert_rule_list.inc.php which returns HTML for modal window
Table Rendering: Modal contains HTML table with all rules and inline JavaScript calling bootgrid() function
XSS Trigger: The bootgrid() function (http://www.jquery-bootgrid.com/) rewrites table cells, decoding XML character references
Code Execution: Browser interprets the decoded payload as HTML tags and executes the injected script

Proof of Concept

Usage

python3 poc.py client ip_addr -U <username> -P <password>

Optional Parameters

-E [kvp|multipart] - Specify HTTP request parameter encoding

Credit

Discovered by: Simon Humbert of Trend Research, Trend Micro

About Zero Day Initiative (ZDI)

Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

References

ZDI Website: http://www.zerodayinitiative.com
Disclosure Policy: http://www.zerodayinitiative.com/advisories/disclosure_policy/

(GitHub Advisory)

3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62412

GHSA ID

GHSA-6g2v-66ch-6xmh

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	<= 25.8.0	25.10.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) in the LibreNMS alert rules functionality. The root cause is twofold: insufficient input sanitization and a lack of output escaping.

Input Processing: As detailed in the vulnerability description, when an alert rule is created via ajax_form.php, the name parameter is processed by includes/html/forms/alert-rules.inc.php. This script attempts to sanitize the input using strip_tags(), but this function can be bypassed using techniques like XML character references, allowing a malicious payload to be stored in the database.
Output Rendering: The provided patch (dccdf6769976a974d70f06a7ce8d5a846b29db6f) clearly shows where the vulnerability is triggered. The file includes/html/modal/alert_rule_list.inc.php is responsible for displaying the list of alert rules. Before the patch, it directly rendered the rule name ({$rule['name']}) into the HTML. This allows the stored malicious payload to be executed in the victim's browser.

The identified vulnerable function is the script alert_rule_list.inc.php itself, as the vulnerable code is within its global scope and is executed when the file is included to generate the alert list. A runtime profiler would show this script in the execution path when the vulnerability is triggered by a user viewing the alert rules page.

Vulnerable functions

alert_rule_list.inc.php

includes/html/modal/alert_rule_list.inc.php

This PHP script is responsible for rendering the list of alert rules within a modal dialog. The vulnerability lies in the line where the alert rule's name, `{$rule['name']}`, is directly echoed into an HTML table cell without proper output escaping. An attacker can create an alert rule with a malicious name containing a script payload. When a user views the list of alert rules, this script is executed in their browser. The patch fixes this by wrapping the output with the `e()` function, which is a common helper for `htmlspecialchars` to prevent XSS.

WAF Protection Rules

WAF Rule

## *x**utiv* Summ*ry **Pro*u*t:** Li*r*NMS **V*n*or:** Li*r*NMS **Vuln*r**ility Typ*:** *ross-Sit* S*riptin* (XSS) ***VSS S*or*:** *.* (*V:N/**:L/PR:*/UI:R/S:U/*:L/I:L/*:L) *******t** V*rsion:** **.*.* (l*t*st *t tim* o* *is*ov*ry) **PO* *

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) in t** Li*r*NMS *l*rt rul*s *un*tion*lity. T** root **us* is two*ol*: insu**i*i*nt input s*nitiz*tion *n* * l**k o* output *s**pin*. *. **Input Pro**ssin***: *s **t*il** in t** vuln*r**ility

3.8

Basic Information

Concerned about an active attack path?

CVE-2025-62412: LibreNMS alert-rules has a Cross-Site Scripting Vulnerability

Executive Summary

Vulnerability Details

Description

Technical Details

Attack Vector

Root Cause Analysis

Vulnerable Request

Code Flow

Bypass Technique

Execution Path

Proof of Concept

Usage

Optional Parameters

Credit

About Zero Day Initiative (ZDI)

References

3.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI