CVE-2025-65093

LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint

CVSS 5.5 MEDIUMEPSS 3.2%CWE-89

In short

LibreNMS has a SQL injection flaw in its ajax_output.php endpoint where the hostname parameter is not properly cleaned before being used in database queries. An attacker can exploit this to extract sensitive information from the database by sending specially crafted requests and observing the application's responses.

Technical detail

A boolean-based blind SQL injection vulnerability exists in the hostname parameter of the /ajax_output.php endpoint in LibreNMS versions prior to 25.11.0, where unsanitized user input is directly concatenated into SQL queries without prepared statements. An unauthenticated attacker can craft malicious HTTP requests to infer database contents through time-based or conditional response analysis, potentially exposing sensitive monitoring data and system credentials.

Summary generated and translated by AI from the official description.

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Affected products

librenms · librenms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9