6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65013

GHSA ID

GHSA-j8cq-7f6p-256x

EPSS Score

CWE

CWE-79

Published

11/18/2025

Updated

11/18/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65013

CVE-2025-65013: LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser.

Details

Vulnerable Endpoint: GET /maps/nodeimage
Parameter: Image Name (reflected in response)
Vulnerability type: Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser.
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)

Description

The application takes the value of the Image Name parameter from a request to /maps/nodeimage and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately back to the client and parsed as HTML/JavaScript by the browser, an attacker can craft a URL containing a malicious script. If a victim (for example, an authenticated user or administrator) is tricked into visiting that URL, the injected script will execute in the victim’s browser context.

Proof of Concept (PoC)

Construct a request that includes the following payload in the Image Name parameter. The payload below should be used exactly as provided:

<script>alert('PoC-XXS51')</script>

Steps to reproduce

Authenticate as any user allowed to manage Node Images;
Navigate the endpoint '/maps/nodeimage' and click on "New Image". Choose any valide image and, on parameter, insert the payload above .

Miggo Vulnerability Database

→

CVE-2025-65013

CVE-2025-65013:

6.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65013

GHSA ID

GHSA-j8cq-7f6p-256x

EPSS Score

CWE

CWE-79

Published

11/18/2025

Updated

11/18/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	< 25.11.0	25.11.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the /maps/nodeimage endpoint of LibreNMS. The Image Name parameter was not properly sanitized before being reflected in the server's response.

The analysis of the security patch, commit 3daddcf66cdbb93ea8aa40ac439cbca5beae5280, reveals the exact location of the vulnerability. The patch modifies the app/Http/Controllers/Maps/CustomMapNodeImageController.php file.

Specifically, two methods in the CustomMapNodeImageController class were fixed:

store(): This method handles the creation of new node images. The original code returned the raw image name ($image->name) in the JSON response. The patch applies htmlentities() to this value.
update(): This method handles updates to existing node images. The original code returned the raw request input for the name ($request['name']) in the JSON response. The patch applies htmlentities() to the name from the model ($image->name) before sending it in the response.

These changes confirm that both the creation and update operations were vulnerable. An attacker could inject a malicious script into the Image Name field, which would then be executed in the browser of a user viewing the response. Therefore, the store and update functions are the vulnerable functions that would appear in a runtime profile during exploitation. The profiler would show them as LibreNMS\Http\Controllers\Maps\CustomMapNodeImageController::store and LibreNMS\Http\Controllers\Maps\CustomMapNodeImageController::update.

Vulnerable functions

LibreNMS\Http\Controllers\Maps\CustomMapNodeImageController::store

app/Http/Controllers/Maps/CustomMapNodeImageController.php

The `store` function was vulnerable to reflected XSS. It processed the user-provided 'Image Name' when creating a new node image and reflected it back in the JSON response without proper output encoding. The patch added `htmlentities()` to sanitize the name before including it in the response, thus mitigating the XSS vulnerability.

LibreNMS\Http\Controllers\Maps\CustomMapNodeImageController::update

app/Http/Controllers/Maps/CustomMapNodeImageController.php

The `update` function was vulnerable to reflected XSS. It processed the user-provided 'Image Name' when updating an existing node image and reflected it back in the JSON response without proper output encoding. The patch added `htmlentities()` to sanitize the name before including it in the response, thus mitigating the XSS vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65013: LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`

Summary

Details

Description

Proof of Concept (PoC)

Steps to reproduce

CVE-2025-65013:

6.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.2

6.2

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-65013: LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`

Summary

Details

Description

Proof of Concept (PoC)

Steps to reproduce

Observed behavior

Impact

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI