CVE-2025-54138

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81", "name": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81", "tags": ["Patch"], "refsource": ""}, {"url": "https://github.com/librenms/librenms/pull/17990", "name": "https://github.com/librenms/librenms/pull/17990", "tags": ["Issue Tracking"], "refsource": ""}, {"url": "https://github.com/librenms/librenms/releases/tag/25.7.0", "name": "https://github.com/librenms/librenms/releases/tag/25.7.0", "tags": ["Release Notes"], "refsource": ""}, {"url": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2", "name": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2", "tags": ["Exploit", "Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-98"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-54138", "ASSIGNER": "security-advisories@github.com"}}, "impact": {}, "publishedDate": "2025-07-22T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "25.7.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-05T17:52Z"}