CVE-2025-68614 is a stored cross-site scripting (XSS) vulnerability affecting LibreNMS, an open-source network monitoring platform widely used for infrastructure visibility and alerting.
The flaw exists in the Alert Rule API, where user-supplied input is improperly validated before being stored and later rendered in the web interface.
Vulnerability Mechanics
Root Cause
The vulnerability arises from insufficient input sanitization in the alert rule creation and update process:
- Alert rules can be created or modified via an API endpoint.
- The alert rule name field accepts attacker-controlled input.
- Malicious HTML or JavaScript is stored directly in the backend.
- When the alert rule is displayed in the LibreNMS web interface, the payload is executed in the browser.
This makes the vulnerability persistent, as the payload remains active until the malicious alert rule is removed.
Attack Flow
- An authenticated user with access to the Alert Rule API submits a crafted payload as the alert rule name.
- The payload is stored in the database without proper sanitization.
- Another user (often an administrator) views the alert rules page.
- The malicious script executes in the victim’s browser under their authenticated session.
Security Impact
Although the vulnerability does not directly affect the server or underlying operating system, it can have serious secondary consequences:
- Session hijacking via stolen cookies or tokens
- Credential harvesting through injected scripts
- Unauthorized actions performed in the context of privileged users
- Persistent UI manipulation, such as hiding or falsifying alerts
- Redirection to malicious resources
In environments where monitoring dashboards are trusted operational tools, this can undermine incident response, operational awareness, and security decision-making.
Severity Considerations
The vulnerability is generally classified as medium severity due to:
- Requirement for authenticated access
- No direct server-side code execution
- Impact limited to client-side execution
However, in real-world deployments, the risk may be higher than the score suggests, especially in:
- Multi-user environments
- Organizations with shared admin dashboards
- Networks where LibreNMS is used by security or NOC teams
Stored XSS in administrative interfaces is often leveraged as a stepping stone for broader compromise.
Remediation
Primary Fix
- Upgrade LibreNMS to version 25.12.0 or later, which introduces proper sanitization and output encoding for alert rule fields.
Compensating Controls (If Upgrade Is Delayed)
- Restrict Alert Rule API access to a minimal set of trusted users.
- Apply strict role-based access control (RBAC).
- Filter or block HTML/JavaScript input at API boundaries.
- Monitor for suspicious alert rule names or unexpected UI behavior.
Operational Risk Context
Monitoring systems like LibreNMS often operate with elevated trust:
- They are viewed daily by administrators.
- They influence operational and security decisions.
- They may integrate with automation or incident workflows.
A compromised monitoring UI can:
- Suppress real alerts
- Generate misleading data
- Erode trust in monitoring outputs
Because of this, client-side vulnerabilities in monitoring platforms should be treated with elevated priority, even when formally scored as medium.
Summary Table
| Category | Details |
|---|---|
| Vulnerability Type | Stored Cross-Site Scripting (XSS) |
| Affected Component | Alert Rule API |
| Attack Prerequisites | Authenticated access |
| Persistence | Yes |
| Primary Impact | Client-side code execution |
| Fixed Version | LibreNMS ≥ 25.12.0 |
| Overall Risk | Moderate to High (context-dependent) |
