GHSA-5mrf-j8v6-f45g

Source

https://github.com/advisories/GHSA-5mrf-j8v6-f45g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-5mrf-j8v6-f45g/GHSA-5mrf-j8v6-f45g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5mrf-j8v6-f45g

Aliases

CVE-2025-65014

Published

2025-11-18T18:24:26Z

Modified

2025-11-20T10:32:18.381623Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

LibreNMS has Weak Password Policy

Details

Summary

A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.

Details

Vulnerable Component: User creation / password definition

The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.

PoC

Log in to the application using an Administrator account.
Navigate to the user management section:
Create a new user account using the password 12345678.

The application accepts the weak password without restrictions and creates the account successfully.

Impact

Weak password policy vulnerabilities can have severe consequences, including:

Increased risk of brute-force and credential stuffing attacks
Unauthorized access to user or administrative accounts
Privilege escalation through compromised credentials
Degradation of the overall security posture of the platform

Mitigation

Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
Block the use of commonly known weak passwords (e.g., 12345678, password, admin, qwerty).

Database specific

{
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-521"
    ],
    "nvd_published_at": "2025-11-18T23:15:56Z",
    "github_reviewed_at": "2025-11-18T18:24:26Z"
}

References

Affected packages

Packagist / librenms/librenms

Package

Name: librenms/librenms
Purl: pkg:composer/librenms/librenms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

25.11.0

Affected versions

1.*

1.19

1.20

1.20.1

1.21

1.22

1.22.01

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.30

1.30.01

1.31

1.31.01

1.31.02

1.31.03

1.32

1.32.01

1.33

1.33.01

1.34

1.35

1.36

1.36.01

1.37

1.38

1.39

1.40

1.41

1.42

1.42.01

1.43

1.44

1.45

1.46

1.47

1.48

1.48.1

1.49

1.50

1.50.1

1.51

1.52

1.53

1.53.1

1.54

1.55

1.56

1.57

1.58

1.58.1

1.59

1.60

1.61

1.62

1.62.1

1.62.2

1.63

1.64

1.64.1

1.65

1.65.1

1.66

1.67

1.68

1.69

1.70.0

1.70.1

21.*

21.1.0

21.2.0

21.3.0

21.4.0

21.5.0

21.5.1

21.6.0

21.7.0

21.8.0

21.9.0

21.9.1

21.10.0

21.10.1

21.10.2

21.11.0

21.12.0

21.12.1

22.*

22.1.0

22.2.0

22.2.1

22.2.2

22.3.0

22.4.0

22.4.1

22.5.0

22.6.0

22.7.0

22.8.0

22.9.0

22.10.0

22.11.0

22.12.0

23.*

23.1.0

23.1.1

23.2.0

23.4.0

23.4.1

23.5.0

23.6.0

23.7.0

23.8.0

23.8.1

23.8.2

23.9.0

23.9.1

23.10.0

23.11.0

24.*

24.1.0

24.2.0

24.3.0

24.4.0

24.4.1

24.5.0

24.6.0

24.7.0

24.8.0

24.8.1

24.9.0

24.9.1

24.10.0

24.10.1

24.11.0

24.12.0

25.*

25.1.0

25.2.0

25.3.0

25.4.0

25.5.0

25.6.0

25.7.0

25.8.0

25.9.0

25.9.1

25.10.0