CVE-2025-54138: LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
(updated )
LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input.
The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:
if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}
This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.
This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.
References
- github.com/advisories/GHSA-gq96-8w38-hhj2
- github.com/librenms/librenms
- github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81
- github.com/librenms/librenms/pull/17990
- github.com/librenms/librenms/releases/tag/25.7.0
- github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2
- nvd.nist.gov/vuln/detail/CVE-2025-54138
Code Behaviors & Features
Detect and mitigate CVE-2025-54138 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →